CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections

CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections Robert Rothenberg 26 May 2026 22:49 UTC

========================================================================
CVE-2026-46740                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-46740
   Distribution:  Mojolicious-Plugin-Statsd
       Versions:  through 0.04

       MetaCPAN: https://metacpan.org/dist/Mojolicious-Plugin-Statsd
       VCS Repo: https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed
metric injections

Description
-----------
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed
metric injections.

The metric names and set values were not checked for newlines, colons
or pipes. Metrics generated from untrusted sources could inject
additional statsd metrics.

Version 0.06 changes the module from being a statsd client to using a
separate statsd client. It defaults to using a version of
Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Solutions
---------
Upgrade to Mojolicious::Plugin::Statsd version 0.06 or later.

References
----------
https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes
https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch
https://www.cve.org/CVERecord?id=CVE-2026-46720