CVE-2026-9270

{"id": "CVE-2026-9270", "cveTags": [], "metrics": {}, "published": "2026-06-05T16:16:41.780", "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-46741", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-150"}]}], "descriptions": [{"lang": "en", "value": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.\n\nThe send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.\n\nThe send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.\n\nNote that the SYNOPSIS shows an example of passing a website form \"loginName\" parameter as a tag, which is unsafe."}], "lastModified": "2026-06-05T17:04:07.863", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}