CVE-2026-9270

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The send stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix.

The send stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram.

The send stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections.

Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93CWE-150

Related Identifiers

CVE-2026-9270

Affected Products

Datadog::Dogstatsd

CVE-2026-9270

Weakness Enumeration

Related Identifiers

Affected Products

References · 4