CVE-2026-8788 (GCVE-0-2026-8788)
Vulnerability from cvelistv5
Published
2026-05-18 06:34
Modified
2026-05-19 12:45
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE
  • CWE-93 - Improper Neutralization of CRLF Sequences
Summary
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
References
Impacted products
Vendor Product Version
RRWO Net::Statsd::Lite Version: 0   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-8788",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T12:45:22.290912Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T12:45:27.703Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Net-Statsd-Lite",
          "product": "Net::Statsd::Lite",
          "programRoutines": [
            {
              "name": "Net::Statsd::Lite::record_metric"
            }
          ],
          "repo": "https://github.com/robrwo/Net-Statsd-Lite",
          "vendor": "RRWO",
          "versions": [
            {
              "lessThanOrEqual": "0.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\n\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93 Improper Neutralization of CRLF Sequences",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-18T06:34:24.030Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to Net::Statsd::Lite version 0.10.1 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-14T00:00:00.000Z",
          "value": "Issue reported to CPANSec"
        },
        {
          "lang": "en",
          "time": "2026-05-15T00:00:00.000Z",
          "value": "Author notified"
        },
        {
          "lang": "en",
          "time": "2026-05-16T00:00:00.000Z",
          "value": "Fix released for CVE-2026-46719"
        },
        {
          "lang": "en",
          "time": "2026-05-17T00:00:00.000Z",
          "value": "CVE-2026-8788 identified by author"
        },
        {
          "lang": "en",
          "time": "2025-05-17T00:00:00.000Z",
          "value": "Fix released for CVE-2026-8788"
        }
      ],
      "title": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections",
      "workarounds": [
        {
          "lang": "en",
          "value": "In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value.\n\nValidate that all values sent to the client based on untrusted data do not contain metric injections."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2026-8788",
    "datePublished": "2026-05-18T06:34:24.030Z",
    "dateReserved": "2026-05-17T12:01:20.592Z",
    "dateUpdated": "2026-05-19T12:45:27.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-8788\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-19T12:45:22.290912Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-19T12:44:57.955Z\"}}], \"cna\": {\"title\": \"Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"repo\": \"https://github.com/robrwo/Net-Statsd-Lite\", \"vendor\": \"RRWO\", \"product\": \"Net::Statsd::Lite\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"0.10.0\"}], \"packageName\": \"Net-Statsd-Lite\", \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Net::Statsd::Lite::record_metric\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-14T00:00:00.000Z\", \"value\": \"Issue reported to CPANSec\"}, {\"lang\": \"en\", \"time\": \"2026-05-15T00:00:00.000Z\", \"value\": \"Author notified\"}, {\"lang\": \"en\", \"time\": \"2026-05-16T00:00:00.000Z\", \"value\": \"Fix released for CVE-2026-46719\"}, {\"lang\": \"en\", \"time\": \"2026-05-17T00:00:00.000Z\", \"value\": \"CVE-2026-8788 identified by author\"}, {\"lang\": \"en\", \"time\": \"2025-05-17T00:00:00.000Z\", \"value\": \"Fix released for CVE-2026-8788\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to Net::Statsd::Lite version 0.10.1 or later.\"}], \"references\": [{\"url\": \"https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://www.cve.org/CVERecord?id=CVE-2026-46719\", \"tags\": [\"related\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value.\\n\\nValidate that all values sent to the client based on untrusted data do not contain metric injections.\"}], \"x_generator\": {\"engine\": \"cpansec-cna-tool 0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\\n\\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\\n\\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-93\", \"description\": \"CWE-93 Improper Neutralization of CRLF Sequences\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2026-05-18T06:34:24.030Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-8788\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-19T12:45:27.703Z\", \"dateReserved\": \"2026-05-17T12:01:20.592Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2026-05-18T06:34:24.030Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.