PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11373 JASEI CVE debrief

CVE-2026-11373 is a vulnerability in Net::Statsite::Client versions up to 1.1.0 for Perl. The issue allows for metric injections because newlines are not removed from metric names, and values are not sanitized for newlines or other protocol control characters like colons or pipes. This vulnerability impacts users of the Net::Statsite::Client module, particularly those using it to send metrics to a statsite server. The vulnerability's severity and exploitability depend on the specific use cases and configurations of affected systems. Defenders should assess their exposure based on their use of the module and implement mitigations as necessary.

Vendor
JASEI
Product
Net::Statsite::Client
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-22
Advisory published
2026-06-22
Advisory updated
2026-06-22

Who should care

Users of Net::Statsite::Client version 1.1.0 or earlier for Perl should be concerned about this vulnerability. This includes developers and administrators who use this module to send metrics to statsite servers. The vulnerability could allow attackers to inject malicious metrics, potentially leading to unauthorized data or misleading information being sent to monitoring systems.

Technical summary

The Net::Statsite::Client module for Perl, up to version 1.1.0, does not properly sanitize metric names and values. Specifically, it does not remove newlines from metric names and does not sanitize values for newlines or protocol control characters such as colons or pipes. This lack of sanitization allows for metric injections, enabling an attacker to send arbitrary metrics to a statsite server. The vulnerability is classified under CWE-93 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-150 (Improper Neutralization of Special Elements used in a Command).

Defensive priority

Medium priority due to potential for data injection and misinformation in monitoring systems.

Recommended defensive actions

  • Inventory and review systems using Net::Statsite::Client version 1.1.0 or earlier.
  • Apply the official patch or upgrade to a version of Net::Statsite::Client that properly sanitizes metric names and values.
  • Review and restrict access to systems and users that can submit metrics to statsite servers.
  • Monitor for unusual or unauthorized metrics being sent from affected systems.
  • Consider implementing compensating controls, such as validating metric data before submission.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-11373 record and references provided by NVD and CVE.org. The affected product is Net::Statsite::Client versions up to 1.1.0 for Perl. Evidence limits are based on information available up to June 22, 2026. Defenders should verify the official CVE record and vendor advisories for the most current information.

Official resources

This article is AI-assisted and based on the supplied source corpus.