CVE-2026-9270

EPSS 0.33%
Veröffentlicht 05.06.2026 14:49:39
Zuletzt bearbeitet 10.06.2026 15:01:31
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.

The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.

The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.

Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Binary ≫ Datadog::dogstatsd SwPlatformperl Version <= 0.07

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.247

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://www.cve.org/CVERecord?id=CVE-2026-46719

Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2026-46720

Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2026-46741

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-9270

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-9270

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-9270

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-9270