216.73.217.22

CVE-2026-50637

· Published 10/06/2026 21:16 · Modified 11/06/2026 20:16 · Author: The MITRE Corporation

Labels: CVE-2026-50637 2026-06-109b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-50637CWE-93

Essential information

Published
10/06/2026 21:16
Modified
11/06/2026 20:16
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
8.2 HIGH (v3.1)
CISA KEV
No
CWE
CWE-93
EPSS (First)
P8.3% ?EPSS percentile: rank of this vulnerability versus all others. Higher percentile = more likely to be exploited. Learn more (score 0.00028)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVSS metrics

Description

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
nist-nvd-api
NVD
View on NVD

Affected products (CPE)

ProductCPE
perl / metrics any adapter statsd cpe:2.3:a:perl:metrics_any_adapter_statsd:<0.04:*:*:*:*:*:*:*

References