CVE-2026-9270
9.1 CRITICALDataDog::DogStatsd versions through 0.07 for Perl allow metric injections
Published: 2026-06-05 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 9.1 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE
- CWE-150, CWE-93
Affected products
| Vendor | Product |
|---|---|
| binary | datadog\ |
Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-11362 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)
Same CWE
- CVE-2026-50639 — Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections (6.5 MEDIUM)
- CVE-2026-50638 — Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
- CVE-2026-50637 — Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
- CVE-2026-49756 — Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via att...
- CVE-2026-11362 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)