CVE-2026-8722: Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections

CVE-2026-8722: Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections Robert Rothenberg 03 Jun 2026 23:47 UTC

========================================================================
CVE-2026-8722                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8722
   Distribution:  Net-Async-Statsd
       Versions:  through 0.005

       MetaCPAN:  https://metacpan.org/dist/Net-Async-Statsd
       VCS Repo:  https://github.com/team-at-cpan/Net-Async-Statsd

Net::Async::Statsd::Client versions through 0.005 for Perl allow metric
injections

Description
-----------
Net::Async::Statsd::Client versions through 0.005 for Perl allow metric
injections.

The metric names are not checked for newlines, colons or pipes. Metrics
generated from untrusted sources could inject additional statsd
metrics.

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Workarounds
-----------
Ensure only trusted data is submitted to metrics.

References
----------
https://www.cve.org/CVERecord?id=CVE-2026-46719
https://www.cve.org/CVERecord?id=CVE-2026-46720