CVE-2026-11373
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk27th percentile — higher than 27% of all known CVEs
Summary
Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Newlines are not removed from metric names, allowing for these injections.
Risk Assessment
Organizations may be exposed to data manipulation of metrics, potentially leading to false analyses and reports.
Recommendation
It is recommended to upgrade to the latest version of Net::Statsite::Client to eliminate the possibility of metric injections.
Original NVD description (English source)
Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

