PatchSiren cyber security CVE debrief
CVE-2026-50639 PEVANS CVE debrief
CVE-2026-50639 is a vulnerability in Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl. The vulnerability occurs because the statsd protocol (and extensions such as dogstatsd) allow multiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx, which extends Metrics::Any::Adapter::Statsd, has a similar vulnerability. Additionally, the _labels function does not check tags labels newlines or statsd control characters, allowing for metric injections.
- Vendor
- PEVANS
- Product
- Metrics::Any::Adapter::SignalFx
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The CVE-2026-50639 vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. It was published on 2026-06-10T19:16:37.483Z and last modified on 2026-06-10T20:19:35.917Z. The vulnerability is related to CWE-93.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Metrics::Any::Adapter::SignalFx to version 0.04 or later.
- Validate and sanitize input metrics to prevent injections.
Evidence notes
The vendor of the affected product is Unknown Vendor, and the product name is PEVANS. The canonical source is reference_domain_weak, and the confidence is low.
Official resources
-
CVE-2026-50639 CVE record
CVE.org
-
CVE-2026-50639 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
CVE-2026-50639 was published on 2026-06-10T19:16:37.483Z and last modified on 2026-06-10T20:19:35.917Z.