CVE-2026-46741
Metric Injection in Etsy::StatsD Perl Library
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| etsy | statsd | to 1.002002 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Etsy::StatsD versions through 1.002002 for Perl, where metric names and values are not properly validated for special characters such as newlines, colons, or pipes.
Because of this lack of validation, metrics generated from untrusted sources can inject additional StatsD metrics, potentially manipulating the metrics system.
Additionally, the unreleased version in the git repository includes gauge and set methods that also do not check for potential metric injections.
How can this vulnerability impact me? :
This vulnerability can allow attackers or untrusted sources to inject arbitrary metrics into the StatsD system.
Such metric injections could lead to inaccurate or misleading monitoring data, which may affect system monitoring, alerting, and decision-making processes.