Metric Injection Vulnerability in Mojolicious::Plugin::Statsd for Perl
CVE-2026-46740

Currently unrated

Key Information:

Vendor

Rrwo

Status
Mojolicious::plugin::statsd
Vendor
CVE Published:
26 May 2026

What is CVE-2026-46740?

The Mojolicious::Plugin::Statsd for Perl versions up to 0.04 are susceptible to metric injection vulnerabilities. This flaw arises from a lack of validation on metric names and their associated values, allowing untrusted input sources to inject unauthorized statsd metrics. An update to version 0.06 mitigates this issue by utilizing a separate statsd client, which defaults to a version of Net::Statsd::Tiny that addresses similar vulnerabilities.

Affected Version(s)

Mojolicious::Plugin::Statsd 0 <= 0.04

References

https://metacpan.org/release/RRWO/Mojolicious-Plugin-Stat...
release-notes
https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/...
patch
https://www.cve.org/CVERecord?id=CVE-2026-46720
related

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.