CVE-2026-50638

216.73.216.233

· Published 10/06/2026 21:16 · Modified 11/06/2026 20:16 · Author: The MITRE Corporation

Labels: CVE-2026-50638 2026-06-10 9b29abf9-4ab0-4765-b253-1875cd9b441e CVE-2026-50638 CWE-93

Essential information

Published: 10/06/2026 21:16
Modified: 11/06/2026 20:16
Author: The MITRE Corporation
Creator: The MITRE Corporation
CVSS: 9.1 CRITICAL (v3.1)
CISA KEV: No
CWE: CWE-93
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS metrics

Description

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: nist-nvd-api
NVD: View on NVD

Affected products (CPE)

Product	CPE
cpe:2.3:a:metrics::any:metrics_any_adapter_dogstatsd:::::::*	`cpe:2.3:a:metrics::any:metrics_any_adapter_dogstatsd:::::::*`
cpe:2.3:a:metrics::any:metrics_any_adapter_statsd:::::::*	`cpe:2.3:a:metrics::any:metrics_any_adapter_statsd:::::::*`

Product	CPE
cpe:2.3:a:metrics::any:metrics_any_adapter_dogstatsd:::::::*	`cpe:2.3:a:metrics::any:metrics_any_adapter_dogstatsd:::::::*`
cpe:2.3:a:metrics::any:metrics_any_adapter_statsd:::::::*	`cpe:2.3:a:metrics::any:metrics_any_adapter_statsd:::::::*`