CVE-2026-46720 Unknown Vendor CVE debrief

Who should care

Perl developers and operators using Net::Statsd::Tiny, especially where metric names or values may be derived from user-controlled or otherwise untrusted input. Observability, SRE, and platform teams should care if they rely on these metrics for alerting, dashboards, billing, or abuse detection.

Technical summary

The vulnerability is a StatsD metric injection issue. Net::Statsd::Tiny versions before 0.3.8 did not reject newline, colon, or pipe characters in metric names and set values. Because StatsD payloads use those delimiters, crafted input can alter the structure of the emitted metric stream and produce extra or spoofed metrics. NVD maps the weakness to CWE-93.

Defensive priority

Prioritize remediation if any application path passes untrusted input into Net::Statsd::Tiny, because the flaw can silently corrupt telemetry and mislead monitoring or alerting. If the library is only used with trusted constant metric names and values, the immediate exposure is lower, but upgrading is still recommended.

Recommended defensive actions

• Upgrade Net::Statsd::Tiny to version 0.3.8 or later.
• Audit every code path that builds metric names or set values from external input.
• Reject or normalize newline, colon, and pipe characters before calling the library.
• Add tests that verify malformed input cannot change the intended StatsD message format.
• Review recent dashboards and alerts for unexpected or suspicious metric patterns around the exposure window.

Evidence notes

The debrief is based on the official NVD description and its listed references. The NVD record states that versions before 0.3.8 allowed metric injections because metric names and set values were not checked for newlines, colons, or pipes. NVD also lists CWE-93. The referenced GitHub patch and the MetaCPAN 0.3.8 changes page support the existence of a fix in 0.3.8. No CVSS vector was supplied in the source corpus.

Official resources