{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "description", "text": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.", "title": "Vulnerability Description" } ], "publisher": { "category": "other", "contact_details": "gdt@cpan.org", "name": "giterlizzi", "namespace": "https://github.com/giterlizzi/" }, "references": [ { "category": "self", "summary": "CPANSA-Net-Async-Statsd-2026-8722 JSON", "url": "https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-net-async-statsd-2026-8722.json" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2026-46719", "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2026-46720", "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720" }, { "category": "external", "summary": "CVE-2026-8722 (NVD)", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8722" } ], "title": "Net-Async-Statsd vulnerability", "tracking": { "current_release_date": "2026-06-04T00:00:00", "generator": { "engine": { "name": "CSAF Perl Toolkit", "version": "0.26" } }, "id": "CPANSA-Net-Async-Statsd-2026-8722", "initial_release_date": "2026-06-04T00:00:00", "revision_history": [ { "date": "2026-06-04T00:00:00", "number": "1", "summary": "First release" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:cpan/>0", "product": { "name": "Net-Async-Statsd greater than 0", "product_id": "CSAFPID-0001", "product_identification_helper": { "purl": "pkg:cpan/Net-Async-Statsd" } } } ], "category": "product_name", "name": "Net-Async-Statsd" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-8722", "cwe": { "id": "CWE-93", "name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')" }, "notes": [ { "category": "description", "text": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.\n\nThe metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.", "title": "Vulnerability Description" } ], "product_status": { "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ] } ] }