#1139163 libnet-statsd-perl: CVE-2026-46739

Package:
src:libnet-statsd-perl
Source:
src:libnet-statsd-perl
Submitter:
Salvatore Bonaccorso
Date:
2026-06-07 05:31:04 UTC
Severity:
normal
Tags:
#1139163#5
Date:
2026-06-06 18:46:44 UTC
From:
To:
Hi,

The following vulnerability was published for libnet-statsd-perl.

CVE-2026-46739[0]:
| Net::Statsd versions before 0.13 for Perl allow metric injections.
| The metric names are not checked for newlines, colons or pipes.
| Metrics generated from untrusted sources could inject additional
| statsd metrics.  The update_stats (used for updating counters) and
| gauge methods do not check that values are numeric (which would
| block metric injection).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-46739
https://www.cve.org/CVERecord?id=CVE-2026-46739
[1] https://github.com/cosimo/perl5-net-statsd/pull/10
[2] https://lists.security.metacpan.org/cve-announce/msg/40702251/
[3] https://github.com/cosimo/perl5-net-statsd/commit/a10b10173d6751991b7ade14b86dd272439d2283
[4] https://github.com/cosimo/perl5-net-statsd/commit/583dfdf0385120768d6cfca7264a6ebf337ff377

Regards,
Salvatore