CVE-2026-8788 PUBLISHED

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections

Assigner: CPANSec
Reserved: 17.05.2026 Published: 18.05.2026 Updated: 18.05.2026

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.

The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.

Product Status

Vendor	RRWO
Product	Net::Statsd::Lite
Versions	Default: unaffected affected from 0 to 0.10.0 (incl.)

Workarounds

In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value.

Validate that all values sent to the client based on untrusted data do not contain metric injections.

Solutions

Upgrade to Net::Statsd::Lite version 0.10.1 or later.

References

https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes
https://www.cve.org/CVERecord?id=CVE-2026-46719

Problem Types

CWE-93 Improper Neutralization of CRLF Sequences CWE