CVE-2026-11362

CRITICAL 9.8

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

8th

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)

CWE	CWE-93 CWE-150
Vendor	binary
Product	datadog::dogstatsd
Published	Jun 5, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for binary datadog::dogstatsd

Be the first to know when new critical vulnerabilities affecting binary datadog::dogstatsd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

BINARY / DataDog::DogStatsd

0 ≤ 0.07

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cve.org: https://www.cve.org/CVERecord?id=CVE-2026-46741 cve.org: https://www.cve.org/CVERecord?id=CVE-2026-46719 cve.org: https://www.cve.org/CVERecord?id=CVE-2026-46720