CVE-2026-46740: CWE-93 Improper Neutralization of CRLF Sequences in RRWO Mojolicious::Plugin::Statsd
CVE-2026-46740 is a vulnerability in Mojolicious::Plugin::Statsd versions through 0. 04 for Perl that allows metric injection due to improper neutralization of CRLF sequences. The plugin did not validate metric names and set values for newline, colon, or pipe characters, enabling injection of additional statsd metrics from untrusted sources. Version 0. 06 addresses this by switching to a separate statsd client that includes fixes for a similar issue. No official patch or remediation advisory is currently provided.
AI Analysis
Technical Summary
Mojolicious::Plugin::Statsd versions up to 0.04 are vulnerable to improper neutralization of CRLF sequences (CWE-93) in metric names and values, allowing injection of additional statsd metrics. This occurs because the plugin fails to check for newline, colon, or pipe characters in metrics, which can be exploited if metrics originate from untrusted sources. The vulnerability is mitigated in version 0.06 by replacing the internal statsd client with a separate client (Net::Statsd::Tiny) that fixes a related vulnerability (CVE-2026-46720).
Potential Impact
An attacker able to supply metric names or values could inject additional statsd metrics, potentially corrupting monitoring data or causing misleading statistics. There is no indication of remote code execution or system compromise from this vulnerability. No known exploits are reported in the wild.
Mitigation Recommendations
No official patch or vendor advisory is currently available. Users should upgrade to Mojolicious::Plugin::Statsd version 0.06 or later, which replaces the vulnerable statsd client with a fixed version. Until then, avoid processing metrics from untrusted sources or implement input validation to block newline, colon, and pipe characters in metric names and values. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-46740: CWE-93 Improper Neutralization of CRLF Sequences in RRWO Mojolicious::Plugin::Statsd
Description
CVE-2026-46740 is a vulnerability in Mojolicious::Plugin::Statsd versions through 0. 04 for Perl that allows metric injection due to improper neutralization of CRLF sequences. The plugin did not validate metric names and set values for newline, colon, or pipe characters, enabling injection of additional statsd metrics from untrusted sources. Version 0. 06 addresses this by switching to a separate statsd client that includes fixes for a similar issue. No official patch or remediation advisory is currently provided.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mojolicious::Plugin::Statsd versions up to 0.04 are vulnerable to improper neutralization of CRLF sequences (CWE-93) in metric names and values, allowing injection of additional statsd metrics. This occurs because the plugin fails to check for newline, colon, or pipe characters in metrics, which can be exploited if metrics originate from untrusted sources. The vulnerability is mitigated in version 0.06 by replacing the internal statsd client with a separate client (Net::Statsd::Tiny) that fixes a related vulnerability (CVE-2026-46720).
Potential Impact
An attacker able to supply metric names or values could inject additional statsd metrics, potentially corrupting monitoring data or causing misleading statistics. There is no indication of remote code execution or system compromise from this vulnerability. No known exploits are reported in the wild.
Mitigation Recommendations
No official patch or vendor advisory is currently available. Users should upgrade to Mojolicious::Plugin::Statsd version 0.06 or later, which replaces the vulnerable statsd client with a fixed version. Until then, avoid processing metrics from untrusted sources or implement input validation to block newline, colon, and pipe characters in metric names and values. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-17T18:04:31.500Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a162a4be29bf47b50736dd9
Added to database: 5/26/2026, 11:18:35 PM
Last enriched: 5/26/2026, 11:34:59 PM
Last updated: 5/27/2026, 12:25:56 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.