{"id":"CVE-2026-8788","summary":"Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections","details":"Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\n\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.","modified":"2026-07-08T08:09:50.290719389Z","published":"2026-05-18T06:34:24.030Z","database_specific":{"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8788.json","cwe_ids":["CWE-150","CWE-93"]},"references":[{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2026-46719"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8788.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8788"},{"type":"PACKAGE","url":"https://github.com/robrwo/Net-Statsd-Lite"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/robrwo/net-statsd-lite","events":[{"introduced":"0"},{"last_affected":"b541957bbbd07bc63430c22ab4493777b3f16404"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"0.10.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v0.10.0","v0.9.0","v0.8.0","v0.7.1","v0.7.0","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.2","v0.5.1","v0.5.0","v0.4.10","v0.4.9","v0.4.8","v0.4.7","v0.4.6","v0.4.5","v0.4.4","v0.4.3","v0.4.2","v0.4.1","v0.4.0","v0.3.1","v0.3.0","v0.2.1","v0.2.0","v0.1.1","v0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8788.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}