CVE-2026-11373 | Net::Statsite::Client versions through 1.1.0 for Perl allow …

Description

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

Metadata

CVE ID: CVE-2026-11373
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-06-05 12:15 UTC
Published: 2026-06-22 11:28 UTC
Last updated: 2026-06-22 11:28 UTC
Primary CWE: CWE-93
CWE-93 Improper Neutralization of CRLF Sequences
Vendor / Product: JASEI / Net::Statsite::Client
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
JASEI	Net::Statsite::Client	—	0 ≤ 1.1.0

Weakness (CWE)

CWE	Source	Description
CWE-150	cna	CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
CWE-93	cna	CWE-93 Improper Neutralization of CRLF Sequences

References (6)