======================================================================== CVE-2026-46719 CPAN Security Group ========================================================================
CVE ID: CVE-2026-46719 Distribution: Net-Statsd-Lite Versions: before 0.9.0 MetaCPAN: https://metacpan.org/dist/Net-Statsd-Lite VCS Repo: https://github.com/robrwo/Net-Statsd-Lite Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections Description ----------- Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Problem types ------------- - CWE-93 Improper Neutralization of CRLF Sequences Workarounds ----------- Apply the patch. Alternatively, validate that all metrics sent to the client based on untrusted data do not contain metric injections. Solutions --------- Upgrade to Net::Statsd::Lite version 0.9.0 or later. References ---------- https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch Timeline -------- - 2026-05-14: Issue reported to CPANSec - 2026-05-15: Author notified - 2026-05-16: Fix released
