PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50637 PEVANS CVE debrief

CVE-2026-50637 is a HIGH severity vulnerability in Metrics::Any::Adapter::Statsd versions before 0.04 for Perl. The vulnerability allows metric injections due to lack of input validation in the send method, enabling attackers to inject malicious metrics. The statsd protocol and its extensions permit multiple metrics, separated by newlines, to be sent per packet. If metric names contain newlines and statsd control characters (colon, pipe), injections are possible. Version 0.04 fixes this by modifying the _make method to block metric names with characters below ASCII 32 (including newlines), colons, or pipes.

Vendor
PEVANS
Product
Metrics::Any::Adapter::Statsd
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Metrics::Any::Adapter::Statsd versions before 0.04 for Perl should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability has a CVSS score of 8.2 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N. The weakness is classified as CWE-93.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Metrics::Any::Adapter::Statsd version 0.04 or later.
  • Validate and sanitize input to prevent metric injections.

Evidence notes

The CVE record and details can be found at [cve-org]. Additional information is available at [nvd]. The vulnerability was reported via [ref-4].

Official resources

CVE-2026-50637 was published on 2026-06-10T19:16:37.263Z and modified on 2026-06-11T20:16:25.187Z.