Metric Injection Vulnerability in Net::Statsd::Tiny for Perl
CVE-2026-46720

8.2HIGH

Key Information:

Vendor: Rrwo
Status: Net::statsd::tiny
Vendor: CVE Published:; 17 May 2026

What is CVE-2026-46720?

Net::Statsd::Tiny versions prior to 0.3.8 for Perl are susceptible to a metric injection vulnerability. This occurs when the application fails to validate input for metric names and set values, allowing metrics from untrusted sources to include newline characters, colons, or pipes. Consequently, this could lead to the injection of unauthorized statsd metrics, potentially compromising application integrity and security.

Affected Version(s)

Net::Statsd::Tiny 0 < 0.3.8

References

https://metacpan.org/release/RRWO/Net-Statsd-Tiny-v0.3.8/...

release-notes

https://github.com/robrwo/Net-Statsd-Tiny/commit/06f814f5...

patch

https://www.cve.org/CVERecord?id=CVE-2026-46719

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2026
Vulnerability Reserved
May 16, 2026

CVE-2026-46720 Data

JSON

Rrwo

What is CVE-2026-46720?

Affected Version(s)

References

CVSS V3.1

Timeline