PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9270 BINARY CVE debrief

CVE-2026-9270 is a critical vulnerability in DataDog::DogStatsd versions through 0.07 for Perl. The vulnerability allows metric injections from untrusted sources due to improper input sanitization. The `send_stats` method does not remove newlines from metric names, validate the content of the value, or validate the content of the tags, allowing attackers to change the metric name prefix, inject metrics, and inject tags.

Vendor
BINARY
Product
DataDog::DogStatsd
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-10
Advisory published
2026-06-05
Advisory updated
2026-06-10

Who should care

Users of DataDog::DogStatsd versions through 0.07 for Perl should be aware of this vulnerability and take steps to mitigate it.

Technical summary

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections due to improper input sanitization. Specifically, the `send_stats` method does not remove newlines from metric names, validate the content of the value, or validate the content of the tags.

Defensive priority

high

Recommended defensive actions

  • Upgrade to a version of DataDog::DogStatsd that is not vulnerable (e.g., version 0.08 or later).
  • Use a version of Perl that is not vulnerable.
  • Implement input validation and sanitization for metric names, values, and tags.

Evidence notes

The CVE-2026-9270 vulnerability has a CVSS score of 9.1 and is considered critical. The vulnerability is caused by improper input sanitization in the `send_stats` method of DataDog::DogStatsd versions through 0.07 for Perl.

Official resources

CVE-2026-9270 was published on 2026-06-05T16:16:41.780Z and modified on 2026-06-10T15:01:31.007Z.