CVE-2026-11373 · Symaro Security Advisory

Description

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

Weaknesses

CWE-93 — CWE-93 Improper Neutralization of CRLF Sequences
CWE-150 — CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

Affected products

Vendor	Product	Versions
JASEI	Net::Statsite::Client	0 to <=1.1.0

References

https://metacpan.org/release/JASEI/Net-Statsite-Client-1.1.0/view/lib/Net/Statsite/Client.pm
https://security.metacpan.org/patches/N/Net-Statsite-Client/1.1.0/CVE-2026-11373-r1.patch (patch)
http://armon.github.io/statsite (technical-description)
https://www.cve.org/CVERecord?id=CVE-2026-46719 (related)
https://www.cve.org/CVERecord?id=CVE-2026-46720 (related)
https://www.cve.org/CVERecord?id=CVE-2026-46739 (related)

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 22 Jun 2026 14:43 UTC.