Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections_CVE-2026-11373

{
    "lastseen": "",
    "description": "Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections.\n\nNet::Statsite::Client is a client for the statsite protocol, which is a variant of statsd.\n\nNewlines are not removed from metric names, allowing metric injections.\n\nValues are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.",
    "published": "2026-06-22T11:28:06.211Z",
    "modified": "2026-06-22T15:33:17.415Z",
    "type": "cve",
    "title": "Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections",
    "source": "CPANSec",
    "references": "https://metacpan.org/release/JASEI/Net-Statsite-Client-1.1.0/view/lib/Net/Statsite/Client.pm\nhttps://security.metacpan.org/patches/N/Net-Statsite-Client/1.1.0/CVE-2026-11373-r1.patch\nhttp://armon.github.io/statsite\nhttps://www.cve.org/CVERecord?id=CVE-2026-46719\nhttps://www.cve.org/CVERecord?id=CVE-2026-46720\nhttps://www.cve.org/CVERecord?id=CVE-2026-46739",
    "id": "CVE-2026-11373",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93",
        "CWE-150"
    ],
    "cvelist": null,
    "sourceData": "JASEI Net::Statsite::Client 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Net::Statsite::Client",
    "version": "0",
    "vendor": "JASEI",
    "ai_description": "Metric injections are possible due to newline characters not being removed from metric names and values not being sanitized for newlines or other protocol control characters.",
    "ai_severity": "Critical",
    "ai_vendor": "JASEI",
    "ai_product": "Net::Statsite::Client",
    "ai_version": "1.1.0",
    "ai_score": 9.1
}