CVE-2026-46740

MEDIUM 5.3

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

1th

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).

CWE	CWE-93
Vendor	rrwo
Product	mojolicious::plugin::statsd
Published	May 26, 2026
Last Updated	May 28, 2026

Stay Ahead of the Next One

Get instant alerts for rrwo mojolicious::plugin::statsd

Be the first to know when new medium vulnerabilities affecting rrwo mojolicious::plugin::statsd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

RRWO / Mojolicious::Plugin::Statsd

0 ≤ 0.04

References

NVD ↗ CVE.org ↗ EPSS Data ↗

metacpan.org: https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes github.com: https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch cve.org: https://www.cve.org/CVERecord?id=CVE-2026-46720