CVE-2026-8788

Deferred Deferred - Pending Action

Metric Injection in Net::Statsd::Lite Perl Module

Publication date: 2026-05-18

Last updated on: 2026-06-19

Assigner: CPANSec

Description

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-18

Last Modified

2026-06-19

Generated

2026-06-30

AI Q&A

2026-05-18

EPSS Evaluated

2026-06-28

NVD

CVE-2026-8788

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-93	The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-150	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Attack-Flow Graph

Impact Analysis

The vulnerability allows attackers to inject arbitrary Statsd metrics by exploiting the lack of input validation in the set_add method.

This can lead to inaccurate or misleading metric data, which may affect monitoring, alerting, and performance analysis systems that rely on these metrics.

In environments where metrics influence automated decisions or billing, this could cause operational disruptions or financial inaccuracies.

Executive Summary

This vulnerability exists in Net::Statsd::Lite versions through 0.10.0 for Perl, where the values passed to the set_add method were not properly validated for special characters such as newlines, colons, or pipes.

Because these characters were not checked, an attacker could inject additional Statsd metrics by supplying crafted input from untrusted sources, leading to metric injection.

This issue is similar to a previously fixed vulnerability (CVE-2026-46719) that addressed metric name injection in version 0.9.0.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Net::Statsd::Lite to a version later than 0.10.0 where the issue is fixed.

Additionally, ensure that values passed to the set_add method are sanitized to prevent injection of newlines, colons, or pipes.

Compliance Impact

The vulnerability in Net::Statsd::Lite versions through 0.10.0 allows metric injections due to improper validation of input values. This can lead to the injection of additional statsd metrics from untrusted sources, potentially compromising the integrity and reliability of monitoring data.

While the CVE description indicates a risk to data integrity and availability (CVSS 7.3 with impact on confidentiality, integrity, and availability), there is no direct information provided about its impact on compliance with standards such as GDPR or HIPAA.

Therefore, without explicit details on how this vulnerability might lead to unauthorized access to personal or protected health information, or how it might affect regulatory compliance, it is not possible to definitively assess its impact on compliance with common standards and regulations.

Hi! I’m here to help you understand CVE-2026-8788. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70