CVE-2026-46720: CWE-93 Improper Neutralization of CRLF Sequences in RRWO Net::Statsd::Tiny
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
AI Analysis
Technical Summary
Net::Statsd::Tiny versions prior to 0.3.8 do not validate or sanitize metric names and values for newline, colon, or pipe characters, leading to improper neutralization of CRLF sequences (CWE-93). This flaw enables attackers who can supply untrusted metric data to inject additional statsd metrics, potentially manipulating monitoring data or causing unexpected behavior in statsd consumers.
Potential Impact
The vulnerability allows injection of additional statsd metrics via crafted metric names or values containing newline or delimiter characters. This can lead to corrupted or misleading monitoring data. There is no indication of direct code execution or system compromise from the provided data.
Mitigation Recommendations
No official patch or remediation level is currently provided. Users should upgrade to version 0.3.8 or later when available, as the vulnerability affects versions before 0.3.8. Until a fix is released, avoid processing metrics from untrusted sources or implement input validation to sanitize metric names and values to exclude newline, colon, and pipe characters.
CVE-2026-46720: CWE-93 Improper Neutralization of CRLF Sequences in RRWO Net::Statsd::Tiny
Description
Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Net::Statsd::Tiny versions prior to 0.3.8 do not validate or sanitize metric names and values for newline, colon, or pipe characters, leading to improper neutralization of CRLF sequences (CWE-93). This flaw enables attackers who can supply untrusted metric data to inject additional statsd metrics, potentially manipulating monitoring data or causing unexpected behavior in statsd consumers.
Potential Impact
The vulnerability allows injection of additional statsd metrics via crafted metric names or values containing newline or delimiter characters. This can lead to corrupted or misleading monitoring data. There is no indication of direct code execution or system compromise from the provided data.
Mitigation Recommendations
No official patch or remediation level is currently provided. Users should upgrade to version 0.3.8 or later when available, as the vulnerability affects versions before 0.3.8. Until a fix is released, avoid processing metrics from untrusted sources or implement input validation to sanitize metric names and values to exclude newline, colon, and pipe characters.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-16T00:56:00.338Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0a03afec166c07b0eebf9c
Added to database: 5/17/2026, 6:06:39 PM
Last enriched: 5/17/2026, 6:21:35 PM
Last updated: 5/19/2026, 10:51:14 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.