CVE-2026-50638— Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::DogStatsd | < 0.04 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-50638
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections
Source: NVD (National Vulnerability Database)
Vulnerability Description
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Metrics::Any::Adapter::DogStatsd 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Metrics::Any::Adapter::DogStatsd是PEVANS个人开发者的一个Perl指标采集适配器模块。 Metrics::Any::Adapter::DogStatsd 0.04之前版本存在注入漏洞,该漏洞源于_tags函数未检查标签中的换行符或statsd控制字符,导致可能进行指标注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::DogStatsd | 0 ~ 0.04 | - |
II. Public POCs for CVE-2026-50638
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-50638
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-50638 (1)
News Coverage for CVE-2026-50638 (1)
Other References for CVE-2026-50638 (1)
- 🔗 Changes - metacpan.orgrelease-notes
Same Patch Batch · PEVANS · 2026-06-10 · 3 CVEs total
| CVE-2026-50639 | Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against met | |
| CVE-2026-50637 | Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metri |
IV. Related Vulnerabilities
Same weakness: CWE-93
- CVE-2026-9679
undici vulnerable to HTTP header injection via Set-Cookie pe - CVE-2026-12143
form-data does not escape CR/LF/quote in multipart field nam - CVE-2026-50629
Apache CXF: OAuth2: Log Injection via Unsanitized Client Ide - CVE-2026-50639
Metrics::Any::Adapter::SignalFx versions before 0.04 for Per - CVE-2026-50637
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl
V. Comments for CVE-2026-50638
No comments yet