CVE-2026-50638
June 10, 2026, 8:19 p.m.
None
No Score
Description
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet.
Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.
In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Metrics |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | metrics | any | metrics_any_adapter_dogstatsd | / | / | / | / | / | / | |
| a | metrics | any | metrics_any_adapter_statsd | / | / | / | / | / | / |
Tags
Timeline
Published: June 10, 2026, 7:16 p.m.
Last Modified: June 10, 2026, 8:19 p.m.
Last Modified: June 10, 2026, 8:19 p.m.
Status : Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
9b29abf9-4ab0-4765-b253-1875cd9b441e
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.