======================================================================== CVE-2026-8788 CPAN Security Group ========================================================================
CVE ID: CVE-2026-8788 Distribution: Net-Statsd-Lite Versions: through 0.10.0 MetaCPAN: https://metacpan.org/dist/Net-Statsd-Lite VCS Repo: https://github.com/robrwo/Net-Statsd-Lite Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections Description ----------- Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. Problem types ------------- - CWE-93 Improper Neutralization of CRLF Sequences Workarounds ----------- In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value. Validate that all values sent to the client based on untrusted data do not contain metric injections. Solutions --------- Upgrade to Net::Statsd::Lite version 0.10.1 or later. References ---------- https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes https://www.cve.org/CVERecord?id=CVE-2026-46719 Timeline -------- - 2026-05-14: Issue reported to CPANSec - 2026-05-15: Author notified - 2026-05-16: Fix released for CVE-2026-46719 - 2026-05-17: CVE-2026-8788 identified by author - 2025-05-17: Fix released for CVE-2026-8788
