Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

metrics\

Source -

NVD

CNA CVEs -

0

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

2
Related CVEsRelated VendorsRelated AssignersReports
2Vulnerabilities found
CVE-2026-50638
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-9.1||CRITICAL
EPSS-0.34% / 26.15%
||
7 Day CHG+0.03%
Published-10 Jun, 2026 | 18:32
Updated-24 Jun, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

Action-Not Available
Vendor-pevansPEVANS
Product-metrics\Metrics::Any::Adapter::DogStatsd
CWE ID-CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2026-50637
Assigner-CPAN Security Group
ShareView Details
Assigner-CPAN Security Group
CVSS Score-8.2||HIGH
EPSS-0.32% / 24.03%
||
7 Day CHG+0.04%
Published-10 Jun, 2026 | 18:32
Updated-24 Jun, 2026 | 14:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

Action-Not Available
Vendor-pevansPEVANS
Product-metrics\Metrics::Any::Adapter::Statsd
CWE ID-CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')