PatchSiren cyber security CVE debrief
CVE-2026-46739 COSIMO CVE debrief
CVE-2026-46739 is a MEDIUM severity vulnerability in Net::Statsd versions before 0.13 for Perl. The vulnerability allows metric injections from untrusted sources because metric names are not checked for newlines, colons, or pipes. Additionally, the update_stats (used for updating counters) and gauge methods do not check that values are numeric, which could block metric injection.
- Vendor
- COSIMO
- Product
- Net::Statsd
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Users of Net::Statsd versions before 0.13 for Perl should be aware of this vulnerability, as it could allow attackers to inject additional statsd metrics.
Technical summary
The vulnerability exists in Net::Statsd versions before 0.13 for Perl. The metric names are not sanitized, allowing for injection of newlines, colons, or pipes. Furthermore, the update_stats and gauge methods do not validate if the values are numeric, which could prevent metric injection.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to Net::Statsd version 0.13 or later.
- Validate and sanitize metric names and values from untrusted sources.
- Use trusted sources for metric updates.
Evidence notes
The CVE-2026-46739 vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
Official resources
-
CVE-2026-46739 CVE record
CVE.org
-
CVE-2026-46739 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Issue Tracking, Patch
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Third Party Advisory
-
Mitigation or vendor reference
9b29abf9-4ab0-4765-b253-1875cd9b441e - Third Party Advisory
CVE-2026-46739 was published on 2026-06-04T17:16:32.663Z and modified on 2026-06-08T16:31:06.713Z.