SecuriTricks - CVE-2026-9270

Description

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

Product(s) Impacted

Vendor	Product	Versions
Datadog	Dogstatsd	<0.07

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	datadog	dogstatsd	<0.07	/	/	/	/	/	/	/

References

https://www.cve.org/CVERecord?id=CVE-2026-46719

https://www.cve.org/CVERecord?id=CVE-2026-46720

https://www.cve.org/CVERecord?id=CVE-2026-46741

Timeline

Published: June 5, 2026, 4:16 p.m.
Last Modified: June 5, 2026, 5:04 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

9b29abf9-4ab0-4765-b253-1875cd9b441e

CVE-2026-9270