CPANSA-DataDog-DogStatsd-2026-11362: DataDog-DogStatsd vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-06-05T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-06-05T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | Severity | ||
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
Vulnerabilities
CVE-2026-11362
Vulnerability DescriptionDataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
| Weakness | CWE-93 : Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|---|
Product status
Known affected
| Product | Score | ||||
|---|---|---|---|---|---|
| DataDog-DogStatsd greater than 0 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-DataDog-DogStatsd-2026-11362 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-datadog-dogstatsd-2026-11362.json - https://www.cve.org/CVERecord?id=CVE-2026-46719 external
https://www.cve.org/CVERecord?id=CVE-2026-46719 - https://www.cve.org/CVERecord?id=CVE-2026-46720 external
https://www.cve.org/CVERecord?id=CVE-2026-46720 - https://www.cve.org/CVERecord?id=CVE-2026-46741 external
https://www.cve.org/CVERecord?id=CVE-2026-46741 - CVE-2026-11362 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-11362
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Fri Jun 5 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/