CVE-2026-8788

7.3 HIGH

Published: May 18, 2026 Modified: May 19, 2026

Description

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

https://www.cve.org/CVERecord?id=CVE-2026-46719

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

2 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.3 / 10.0

EPSS (Exploit Probability)

0.2%

13th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-93

Related CVEs

CVE-2026-48777 N/A

CVE-2026-47750 7.8

CVE-2026-47747 7.8

CVE-2026-46448 5.4

CVE-2026-22313 9.1