CVE-2026-46739

Source
https://cve.org/CVERecord?id=CVE-2026-46739
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46739.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46739
Downstream
Published
2026-06-04T15:45:23.797Z
Modified
2026-07-15T01:49:02.267977392Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Net::Statsd versions before 0.13 for Perl allow metric injections
Details

Net::Statsd versions before 0.13 for Perl allow metric injections.

The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).

Database specific
{
    "cna_assigner": "CPANSec",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46739.json",
    "cwe_ids": [
        "CWE-150",
        "CWE-93"
    ]
}
References

Affected packages

Git / github.com/cosimo/perl5-net-statsd

Affected ranges

Type
GIT
Repo
https://github.com/cosimo/perl5-net-statsd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:cosimo:net\\:\\:statsd:*:*:*:*:*:perl:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.13"
        }
    ]
}

Affected versions

0.*
0.04
0.05
0.06
0.07
0.08
0.09
0.10
0.11
0.12
CPAN-0.*
CPAN-0.01
CPAN-0.02
CPAN-0.03
CPAN-0.04
Other
multi-metric

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46739.json"