========================================================================
CVE-2026-8788                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8788
   Distribution:  Net-Statsd-Lite
       Versions:  through 0.10.0

       MetaCPAN:  https://metacpan.org/dist/Net-Statsd-Lite
       VCS Repo:  https://github.com/robrwo/Net-Statsd-Lite

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric
injections

Description
-----------
Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric
injections.

The values from the set_add method were not checked for newlines,
colons or pipes. Metrics generated from untrusted sources could inject
additional statsd metrics.

Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric
names.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
In version 0.10.0, use the secure_set_add method which logs an HMAC
digest of the value instead of the raw value.

Validate that all values sent to the client based on untrusted data do
not contain metric injections.

Solutions
---------
Upgrade to Net::Statsd::Lite version 0.10.1 or later.

References
----------
https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes
https://www.cve.org/CVERecord?id=CVE-2026-46719

Timeline
--------
- 2026-05-14: Issue reported to CPANSec
- 2026-05-15: Author notified
- 2026-05-16: Fix released for CVE-2026-46719
- 2026-05-17: CVE-2026-8788 identified by author
- 2025-05-17: Fix released for CVE-2026-8788