CVE Catalog

CVE-2026-50638

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

24th percentile — higher than 24% of all known CVEs

Summary

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol allows multiple metrics to be sent per packet, creating a risk of injecting malicious data.

Risk Assessment

Organizations may be exposed to data manipulation, leading to incorrect analyses and decisions based on false information.

Recommendation

It is recommended to upgrade to version 0.04 or later to protect against metric injections and to validate tags for newlines and control characters.

Original NVD description (English source)

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS