CVE-2026-50638
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk24th percentile — higher than 24% of all known CVEs
Summary
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol allows multiple metrics to be sent per packet, creating a risk of injecting malicious data.
Risk Assessment
Organizations may be exposed to data manipulation, leading to incorrect analyses and decisions based on false information.
Recommendation
It is recommended to upgrade to version 0.04 or later to protect against metric injections and to validate tags for newlines and control characters.
Original NVD description (English source)
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

