CVE-2026-9270
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections due to improper input sanitization. The send_stats method does not remove newlines from metric names, allowing attackers to change the metric name prefix.
Risk Assessment
Organizations may be exposed to unauthorized metric injections, leading to false data in monitoring and analytics systems. This creates a risk of making incorrect decisions based on inaccurate information.
Recommendation
It is recommended to upgrade to the latest version of DataDog::DogStatsd that improves input sanitization. Additionally, implement validation of metric data and tags before processing.
Original NVD description (English source)
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

