CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2026-50292 (GCVE-0-2026-50292)
Vulnerability from cvelistv5 – Published: 2026-06-04 16:41 – Updated: 2026-06-04 18:12
VLAI
Summary
In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freedesktop | libinput |
Affected:
0 , < 1.30.4
(semver)
Affected: 1.31.0 , < 1.31.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-50292",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T18:12:00.642730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T18:12:18.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "libinput",
"vendor": "freedesktop",
"versions": [
{
"lessThan": "1.30.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.31.3",
"status": "affected",
"version": "1.31.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.30.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:freedesktop:libinput:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.31.3",
"versionStartIncluding": "1.31.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T16:41:36.354Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296"
},
{
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55"
},
{
"url": "https://www.openwall.com/lists/oss-security/2026/06/04/5"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-50292",
"datePublished": "2026-06-04T16:41:36.354Z",
"dateReserved": "2026-06-04T16:41:35.817Z",
"dateUpdated": "2026-06-04T18:12:18.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50629 (GCVE-0-2026-50629)
Vulnerability from cvelistv5 – Published: 2026-06-12 08:57 – Updated: 2026-06-12 14:47
VLAI
Title
Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
Summary
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache CXF |
Affected:
4.2.0 , < 4.2.2
(semver)
Affected: 0 , < 4.1.7 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-12T09:28:05.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T14:02:18.148673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:47:44.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.cxf:cxf-rt-rs-security-oauth2",
"product": "Apache CXF",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.2.2",
"status": "affected",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Guanping Zhang reported this vulnerability."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The \u0027clientId\u0027 parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server\u0027s log files.\u0026nbsp;Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.\u003cbr\u003e"
}
],
"value": "The \u0027clientId\u0027 parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server\u0027s log files.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T08:57:22.534Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-50629",
"datePublished": "2026-06-12T08:57:22.534Z",
"dateReserved": "2026-06-05T10:55:14.302Z",
"dateUpdated": "2026-06-12T14:47:44.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50637 (GCVE-0-2026-50637)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-11 19:10
VLAI
Title
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections
Summary
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.
The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.
Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/PEVANS/Metrics-Any-A… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-46739 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::Statsd |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T19:09:57.520776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T19:10:34.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::Statsd",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::Statsd::_make"
},
{
"name": "Metrics::Any::Adapter::Statsd::send"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nThe send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.\n\nVersion 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:32:11.614Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46739"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50637",
"datePublished": "2026-06-10T18:32:11.614Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-11T19:10:34.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50638 (GCVE-0-2026-50638)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-11 19:11
VLAI
Title
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
Summary
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/PEVANS/Metrics-Any-A… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-50637 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-9270 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::DogStatsd |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T19:10:59.333211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T19:11:42.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::DogStatsd",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::DogStatsd::_tags"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:32:21.666Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50638",
"datePublished": "2026-06-10T18:32:21.666Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-11T19:11:42.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50639 (GCVE-0-2026-50639)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-10 19:38
VLAI
Title
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections
Summary
Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/PEVANS/Metrics-Any-A… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-50637 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-9270 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::SignalFx |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T19:38:09.757142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T19:38:13.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::SignalFx",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::SignalFx:_labels"
},
{
"name": "Metrics::Any::Adapter::SignalFx::send"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:32:30.054Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50639",
"datePublished": "2026-06-10T18:32:30.054Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-10T19:38:13.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5140 (GCVE-0-2026-5140)
Vulnerability from cvelistv5 – Published: 2026-04-29 13:02 – Updated: 2026-06-06 07:51
VLAI
Title
Authorization Bypass in TUBITAK BILGEM's Pardus Update
Summary
Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.
This issue affects Pardus Update: from 0.6.3 before 0.6.4.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.usom.gov.tr/bildirim/tr-26-0131 | government-resourcebroken-link |
| https://siberguvenlik.gov.tr/guvenlik-bildirimler… | government-resource |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TUBITAK BILGEM Software Technologies Research Institute | Pardus Update |
Affected:
0.6.3 , < 0.6.4
(custom)
|
Date Public
2026-04-29 12:43
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T14:04:24.354607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T14:04:35.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pardus Update",
"vendor": "TUBITAK BILGEM Software Technologies Research Institute",
"versions": [
{
"lessThan": "0.6.4",
"status": "affected",
"version": "0.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u00c7a\u011fr\u0131 ESER"
}
],
"datePublic": "2026-04-29T12:43:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027) vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.\u003cp\u003eThis issue affects Pardus Update: from 0.6.3 before 0.6.4.\u003c/p\u003e"
}
],
"value": "Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027) vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Update allows Authentication Bypass.\n\nThis issue affects Pardus Update: from 0.6.3 before 0.6.4."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T07:51:25.691Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"tags": [
"government-resource",
"broken-link"
],
"url": "https://www.usom.gov.tr/bildirim/tr-26-0131"
},
{
"tags": [
"government-resource"
],
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0131"
}
],
"source": {
"advisory": "TR-26-0131",
"defect": [
"TR-26-0131"
],
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass in TUBITAK BILGEM\u0027s Pardus Update",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2026-5140",
"datePublished": "2026-04-29T13:02:08.216Z",
"dateReserved": "2026-03-30T11:35:18.026Z",
"dateUpdated": "2026-06-06T07:51:25.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6351 (GCVE-0-2026-6351)
Vulnerability from cvelistv5 – Published: 2026-04-16 02:39 – Updated: 2026-04-16 13:02
VLAI
Title
Openfind|MailGates/MailAudit - CRLF Injection
Summary
MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper neutralization of CRLF sequences ('CRLF injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-10844-1405d-1.html | third-party-advisory |
| https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html | third-party-advisory |
Impacted products
Date Public
2026-04-16 02:34
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T13:02:17.083959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:02:24.951Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailGates",
"vendor": "Openfind",
"versions": [
{
"lessThan": "6.1.10.054",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "5.2.10.099",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MailAudit",
"vendor": "Openfind",
"versions": [
{
"lessThan": "6.1.10.054",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "5.2.10.099",
"status": "affected",
"version": "5.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-04-16T02:34:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files."
}
],
"value": "MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files."
}
],
"impacts": [
{
"capecId": "CAPEC-15",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-15 Command Delimiters"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper neutralization of CRLF sequences (\u0027CRLF injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T02:39:02.015Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-10844-1405d-1.html"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.twcert.org.tw/en/cp-139-10843-9ff91-2.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MailGates/MailAudit 6.0\uff1a Update to version 6.1.10.054 or later\n\u003cbr\u003eMailGates/MailAudit 5.0\uff1a Update to version 5.2.10.099 or later"
}
],
"value": "MailGates/MailAudit 6.0\uff1a Update to version 6.1.10.054 or later\n\nMailGates/MailAudit 5.0\uff1a Update to version 5.2.10.099 or later"
}
],
"source": {
"advisory": "TVN-202604003",
"discovery": "EXTERNAL"
},
"title": "Openfind\uff5cMailGates/MailAudit - CRLF Injection",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2026-6351",
"datePublished": "2026-04-16T02:39:02.015Z",
"dateReserved": "2026-04-15T11:32:32.176Z",
"dateUpdated": "2026-04-16T13:02:24.951Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8722 (GCVE-0-2026-8722)
Vulnerability from cvelistv5 – Published: 2026-06-03 23:45 – Updated: 2026-06-04 18:31
VLAI
Title
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections
Summary
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.
The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TEAM | Net::Async::Statsd::Client |
Affected:
0 , ≤ 0.005
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T18:30:45.633771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T18:31:02.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Async-Statsd",
"product": "Net::Async::Statsd::Client",
"programRoutines": [
{
"name": "Net::Async::Statsd::Client::queue_stat"
}
],
"repo": "https://github.com/team-at-cpan/Net-Async-Statsd",
"vendor": "TEAM",
"versions": [
{
"lessThanOrEqual": "0.005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.\n\nThe metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T23:45:27.353Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections",
"workarounds": [
{
"lang": "en",
"value": "Ensure only trusted data is submitted to metrics."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8722",
"datePublished": "2026-06-03T23:45:27.353Z",
"dateReserved": "2026-05-16T01:26:22.806Z",
"dateUpdated": "2026-06-04T18:31:02.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8788 (GCVE-0-2026-8788)
Vulnerability from cvelistv5 – Published: 2026-05-18 06:34 – Updated: 2026-05-19 12:45
VLAI
Title
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections
Summary
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.
The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Net-Statsd-Lite… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Net::Statsd::Lite |
Affected:
0 , ≤ 0.10.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8788",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:45:22.290912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:45:27.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Statsd-Lite",
"product": "Net::Statsd::Lite",
"programRoutines": [
{
"name": "Net::Statsd::Lite::record_metric"
}
],
"repo": "https://github.com/robrwo/Net-Statsd-Lite",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\n\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T06:34:24.030Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Net::Statsd::Lite version 0.10.1 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Issue reported to CPANSec"
},
{
"lang": "en",
"time": "2026-05-15T00:00:00.000Z",
"value": "Author notified"
},
{
"lang": "en",
"time": "2026-05-16T00:00:00.000Z",
"value": "Fix released for CVE-2026-46719"
},
{
"lang": "en",
"time": "2026-05-17T00:00:00.000Z",
"value": "CVE-2026-8788 identified by author"
},
{
"lang": "en",
"time": "2025-05-17T00:00:00.000Z",
"value": "Fix released for CVE-2026-8788"
}
],
"title": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections",
"workarounds": [
{
"lang": "en",
"value": "In version 0.10.0, use the secure_set_add method which logs an HMAC digest of the value instead of the raw value.\n\nValidate that all values sent to the client based on untrusted data do not contain metric injections."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8788",
"datePublished": "2026-05-18T06:34:24.030Z",
"dateReserved": "2026-05-17T12:01:20.592Z",
"dateUpdated": "2026-05-19T12:45:27.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9270 (GCVE-0-2026-9270)
Vulnerability from cvelistv5 – Published: 2026-06-05 14:49 – Updated: 2026-06-08 18:17
VLAI
Title
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections
Summary
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.
The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.
The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.
Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BINARY | DataDog::DogStatsd |
Affected:
0 , ≤ 0.07
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T18:17:00.524236Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:17:12.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "DataDog-DogStatsd",
"product": "DataDog::DogStatsd",
"programRoutines": [
{
"name": "DataDog::DogStatsd::send_stats"
},
{
"name": "DataDog::DogStatsd::set"
},
{
"name": "DataDog::DogStatsd::gauge"
},
{
"name": "DataDog::DogStatsd::count"
},
{
"name": "DataDog::DogStatsd::histogram"
}
],
"repo": "https://github.com/binary-com/dogstatsd-perl",
"vendor": "BINARY",
"versions": [
{
"lessThanOrEqual": "0.07",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.\n\nThe send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.\n\nThe send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.\n\nNote that the SYNOPSIS shows an example of passing a website form \"loginName\" parameter as a tag, which is unsafe."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T14:49:39.714Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46741"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections",
"workarounds": [
{
"lang": "en",
"value": "Ensure that metric names, values and tags come from trusted sources or are properly sanitised."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-9270",
"datePublished": "2026-06-05T14:49:39.714Z",
"dateReserved": "2026-05-22T10:23:06.050Z",
"dateUpdated": "2026-06-08T18:17:12.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- Avoid using CRLF as a special sequence.
Mitigation
Phase: Implementation
Description:
- Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.