Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-45180

Summary
Assigner-CPANSec
Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At-10 May, 2026 | 20:03
Updated At-10 May, 2026 | 20:03
Rejected At-
Credits

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:CPANSec
Assigner Org ID:9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At:10 May, 2026 | 20:03
Updated At:10 May, 2026 | 20:03
Rejected At:
▼CVE Numbering Authority (CNA)
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

Affected Products
Vendor
RRWO
Product
Catalyst::Plugin::Statsd
Collection URL
https://cpan.org/modules
Package Name
Catalyst-Plugin-Statsd
Repo
https://github.com/robrwo/CatalystX-Statsd
Default Status
unaffected
Versions
Affected
  • From 0 through 0.10.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-319CWE-319 Cleartext Transmission of Sensitive Information
Type: CWE
CWE ID: CWE-319
Description: CWE-319 Cleartext Transmission of Sensitive Information
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-102CAPEC-102 Session Sidejacking
CAPEC ID: CAPEC-102
Description: CAPEC-102 Session Sidejacking
Solutions

Upgrade to version 0.10.0 of later, which will no longer log session ids to statsd. If Plack::Middleware::Statsd is upgraded to 0.9.0 or later and is configured to log some information securely, then session ids will be logged as HMAC signatures instead.

Configurations
Workarounds

Use a statsd daemon on the same host or through a secure communications channel.

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38
vendor-advisory
https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes
release-notes
https://www.cve.org/CVERecord?id=CVE-2026-45179
related
https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx
related
Hyperlink: https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38
Resource:
vendor-advisory
Hyperlink: https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes
Resource:
release-notes
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-45179
Resource:
related
Hyperlink: https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx
Resource:
related
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At:10 May, 2026 | 21:16
Updated At:10 May, 2026 | 21:16

Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-319Secondary9b29abf9-4ab0-4765-b253-1875cd9b441e
CWE ID: CWE-319
Type: Secondary
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc389b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx9b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes9b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
https://www.cve.org/CVERecord?id=CVE-2026-451799b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
Hyperlink: https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A
Hyperlink: https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A
Hyperlink: https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A
Hyperlink: https://www.cve.org/CVERecord?id=CVE-2026-45179
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2026-45179
Matching Score-6
Assigner-CPAN Security Group
ShareView Details
Matching Score-6
Assigner-CPAN Security Group
CVSS Score-Not Assigned
EPSS-Not Assigned
Published-10 May, 2026 | 19:10
Updated-10 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead.

Action-Not Available
Vendor-RRWO
Product-Plack::Middleware::Statsd
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
Details not found