CVE-2026-46741
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk19th percentile - higher than 19% of all known CVEs
Summary
Etsy::StatsD versions through 1.002002 for Perl allow metric injections. Metric names and values are not checked for newlines, colons, or pipes, allowing for the injection of additional metrics from untrusted sources.
Risk Assessment
Organizations may be exposed to data manipulation, leading to false analytics and decisions based on incorrect data.
Recommendation
It is recommended to upgrade to the latest version of Etsy::StatsD and implement validation for metric names and values to prevent metric injections.
Original NVD description (English source)
Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections.

