PatchSiren cyber security CVE debrief
CVE-2026-11362 BINARY CVE debrief
CVE-2026-11362 is a critical vulnerability in DataDog::DogStatsd versions through 0.07 for Perl. The issue arises from the library's failure to properly sanitize input, allowing metric injections of data from untrusted sources. Specifically, the format_event method, used by the event method, does not validate the content of tags. This oversight enables attackers to inject tags, potentially leading to metric injections. The vulnerability is exacerbated by the ineffective removal of pipes using a regular expression, which does not escape the pipe character, rendering it ineffective. This vulnerability has a CVSS score of 9.8, indicating a critical severity level.
- Vendor
- BINARY
- Product
- DataDog::DogStatsd
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-10
Who should care
Users of DataDog::DogStatsd version 0.07 or earlier for Perl should be concerned about this vulnerability. The issue allows for metric injections, which could lead to unauthorized data modifications or additions, potentially affecting the integrity and accuracy of metrics collected by DataDog.
Technical summary
The vulnerability is caused by the lack of proper sanitization of input in DataDog::DogStatsd. Specifically, the format_event method does not validate tags, which can contain commas, newlines, pipes, and colons. This allows for metric injections from untrusted sources. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability.
Defensive priority
High
Recommended defensive actions
- Update DataDog::DogStatsd to a version beyond 0.07 for Perl.
- Implement proper input validation and sanitization for tags in events.
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability, including its CVSS score, affected versions, and potential impacts.
Official resources
-
CVE-2026-11362 CVE record
CVE.org
-
CVE-2026-11362 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Third Party Advisory
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Third Party Advisory
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Third Party Advisory
CVE-2026-11362 was published on 2026-06-05T16:16:41.277Z and modified on 2026-06-10T15:01:40.640Z.