CVE-2026-46739

NameCVE-2026-46739
DescriptionNet::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139163

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnet-statsd-perl (PTS)bullseye0.12-1.1vulnerable
bookworm0.12-3vulnerable
trixie0.12-4vulnerable
forky, sid0.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnet-statsd-perlsource(unstable)0.13-11139163

Notes

[trixie] - libnet-statsd-perl <no-dsa> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/40702251/
https://github.com/cosimo/perl5-net-statsd/pull/10
Fixed by: https://github.com/cosimo/perl5-net-statsd/commit/a10b10173d6751991b7ade14b86dd272439d2283 (0.13)
Testcase: https://github.com/cosimo/perl5-net-statsd/commit/583dfdf0385120768d6cfca7264a6ebf337ff377 (0.13)
Search for package or bug name: Reporting problems