CVE-2026-8788
Deferred Deferred - Pending Action
Metric Injection in Net::Statsd::Lite Perl Module

Publication date: 2026-05-18

Last updated on: 2026-05-19

Assigner: CPANSec

Description
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-19
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8788
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability allows attackers to inject arbitrary Statsd metrics by exploiting the lack of input validation in the set_add method.

This can lead to inaccurate or misleading metric data, which may affect monitoring, alerting, and performance analysis systems that rely on these metrics.

In environments where metrics influence automated decisions or billing, this could cause operational disruptions or financial inaccuracies.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Net::Statsd::Lite to a version later than 0.10.0 where the issue is fixed.

Additionally, ensure that values passed to the set_add method are sanitized to prevent injection of newlines, colons, or pipes.

Executive Summary

This vulnerability exists in Net::Statsd::Lite versions through 0.10.0 for Perl, where the values passed to the set_add method were not properly validated for special characters such as newlines, colons, or pipes.

Because these characters were not checked, an attacker could inject additional Statsd metrics by supplying crafted input from untrusted sources, leading to metric injection.

This issue is similar to a previously fixed vulnerability (CVE-2026-46719) that addressed metric name injection in version 0.9.0.

Compliance Impact

The vulnerability in Net::Statsd::Lite versions through 0.10.0 allows metric injections due to improper validation of input values. This can lead to the injection of additional statsd metrics from untrusted sources, potentially compromising the integrity and reliability of monitoring data.

While the CVE description indicates a risk to data integrity and availability (CVSS 7.3 with impact on confidentiality, integrity, and availability), there is no direct information provided about its impact on compliance with standards such as GDPR or HIPAA.

Therefore, without explicit details on how this vulnerability might lead to unauthorized access to personal or protected health information, or how it might affect regulatory compliance, it is not possible to definitively assess its impact on compliance with common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8788. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart