CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
CVE-2026-46740 (GCVE-0-2026-46740)
Vulnerability from cvelistv5 – Published: 2026-05-26 22:48 – Updated: 2026-06-19 15:31| URL | Tags |
|---|---|
| https://metacpan.org/release/RRWO/Mojolicious-Plu… | release-notes |
| https://github.com/robrwo/perl-Mojolicious-Plugin… | patch |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
| Vendor | Product | Version | |
|---|---|---|---|
| RRWO | Mojolicious::Plugin::Statsd |
Affected:
0 , ≤ 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:20:31.875781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:20:34.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious-Plugin-Statsd",
"product": "Mojolicious::Plugin::Statsd",
"repo": "https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd",
"vendor": "RRWO",
"versions": [
{
"lessThanOrEqual": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.\n\nThe metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nVersion 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:31:12.368Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Mojolicious::Plugin::Statsd version 0.06 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-46740",
"datePublished": "2026-05-26T22:48:03.747Z",
"dateReserved": "2026-05-17T18:04:31.500Z",
"dateUpdated": "2026-06-19T15:31:12.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46741 (GCVE-0-2026-46741)
Vulnerability from cvelistv5 – Published: 2026-06-04 15:54 – Updated: 2026-06-19 15:31| URL | Tags |
|---|---|
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
| Vendor | Product | Version | |
|---|---|---|---|
| SANBEG | Etsy::StatsD |
Affected:
0 , ≤ 1.002002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:40:21.895127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:41:32.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Etsy-StatsD",
"product": "Etsy::StatsD",
"programRoutines": [
{
"name": "Etsy::StatsD::timing"
},
{
"name": "Etsy::StatsD::update"
},
{
"name": "Etsy::StatsD::send"
}
],
"repo": "https://github.com/sanbeg/Etsy-Statsd",
"vendor": "SANBEG",
"versions": [
{
"lessThanOrEqual": "1.002002",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Etsy::StatsD versions through 1.002002 for Perl allow metric injections.\n\nThe metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:31:51.624Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Etsy::StatsD versions through 1.002002 for Perl allow metric injections",
"workarounds": [
{
"lang": "en",
"value": "Ensure only trusted data is submitted to metrics."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-46741",
"datePublished": "2026-06-04T15:54:48.934Z",
"dateReserved": "2026-05-17T18:04:31.500Z",
"dateUpdated": "2026-06-19T15:31:51.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47090 (GCVE-0-2026-47090)
Vulnerability from cvelistv5 – Published: 2026-05-18 19:31 – Updated: 2026-06-23 16:16 X_Open Source- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
| URL | Tags |
|---|---|
| https://github.com/jarrodwatts/claude-hud/issues/485 | issue-tracking |
| https://github.com/jarrodwatts/claude-hud/pull/487 | issue-tracking |
| https://github.com/jarrodwatts/claude-hud/commit/… | patch |
| https://www.vulncheck.com/advisories/claude-hud-t… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| jarrodwatts | claude-hud |
Affected:
0 , ≤ 0.0.12
(semver)
Unaffected: 234d9aad919b51326a43bcf90b45ae35c23afc30 (git) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:48:31.952470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:48:39.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "claude-hud",
"repo": "https://github.com/jarrodwatts/claude-hud",
"vendor": "jarrodwatts",
"versions": [
{
"lessThanOrEqual": "0.0.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "234d9aad919b51326a43bcf90b45ae35c23afc30",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Katriel Moses"
}
],
"datePublic": "2026-04-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-23T16:16:35.053Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/jarrodwatts/claude-hud/issues/485"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/jarrodwatts/claude-hud/pull/487"
},
{
"tags": [
"patch"
],
"url": "https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/claude-hud-terminal-injection-via-osc-8-hyperlinks"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Claude HUD 0.0.12 Terminal Injection via OSC 8 Hyperlinks",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-47090",
"datePublished": "2026-05-18T19:31:33.193Z",
"dateReserved": "2026-05-18T19:22:26.747Z",
"dateUpdated": "2026-06-23T16:16:35.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49147 (GCVE-0-2026-49147)
Vulnerability from cvelistv5 – Published: 2026-07-08 14:55 – Updated: 2026-07-08 17:31- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:22:36.769783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:22:39.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-07-08T17:31:34.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "ack",
"product": "App::Ack",
"programFiles": [
"lib/App/Ack.pm",
"ack"
],
"programRoutines": [
{
"name": "App::Ack::show_types"
},
{
"name": "file_loop_lL"
},
{
"name": "file_loop_c"
}
],
"repo": "https://github.com/beyondgrep/ack3",
"vendor": "PETDANCE",
"versions": [
{
"lessThanOrEqual": "3.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Majchrowicz (AFINE)"
},
{
"lang": "en",
"type": "finder",
"value": "Marcin Wyczechowski (AFINE)"
}
],
"descriptions": [
{
"lang": "en",
"value": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.\n\nWhen ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.\n\nA file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T14:55:50.232Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to a future ack release."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Version 3.10.0 released with partial fix for most output paths."
}
],
"title": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes",
"workarounds": [
{
"lang": "en",
"value": "Pipe ack output through a filter that strips terminal control characters when running ack over untrusted filenames."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-49147",
"datePublished": "2026-07-08T14:55:50.232Z",
"dateReserved": "2026-05-27T17:50:04.538Z",
"dateUpdated": "2026-07-08T17:31:34.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50637 (GCVE-0-2026-50637)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-19 15:32| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::Statsd |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T19:09:57.520776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T19:10:34.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::Statsd",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::Statsd::_make"
},
{
"name": "Metrics::Any::Adapter::Statsd::send"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet.\n\nThe send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.\n\nVersion 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:32:41.370Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46739"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50638"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50637",
"datePublished": "2026-06-10T18:32:11.614Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-19T15:32:41.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50638 (GCVE-0-2026-50638)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-19 15:32| URL | Tags |
|---|---|
| https://metacpan.org/release/PEVANS/Metrics-Any-A… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-9270 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-50637 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-50639 | related |
| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::DogStatsd |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T19:10:59.333211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T19:11:42.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::DogStatsd",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::DogStatsd::_tags"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:32:58.508Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50638",
"datePublished": "2026-06-10T18:32:21.666Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-19T15:32:58.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50639 (GCVE-0-2026-50639)
Vulnerability from cvelistv5 – Published: 2026-06-10 18:32 – Updated: 2026-06-19 15:33| URL | Tags |
|---|---|
| https://metacpan.org/release/PEVANS/Metrics-Any-A… | release-notes |
| https://www.cve.org/CVERecord?id=CVE-2026-50637 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-50638 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-9270 | related |
| Vendor | Product | Version | |
|---|---|---|---|
| PEVANS | Metrics::Any::Adapter::SignalFx |
Affected:
0 , < 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-50639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T19:38:09.757142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T19:38:13.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Metrics-Any-Adapter-Statsd",
"product": "Metrics::Any::Adapter::SignalFx",
"programRoutines": [
{
"name": "Metrics::Any::Adapter::SignalFx:_labels"
},
{
"name": "Metrics::Any::Adapter::SignalFx::send"
}
],
"vendor": "PEVANS",
"versions": [
{
"lessThan": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet.\n\nMetrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.\n\nIn addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:33:21.954Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50637"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50638"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9270"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to v0.04 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-50639",
"datePublished": "2026-06-10T18:32:30.054Z",
"dateReserved": "2026-06-05T12:07:20.886Z",
"dateUpdated": "2026-06-19T15:33:21.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54057 (GCVE-0-2026-54057)
Vulnerability from cvelistv5 – Published: 2026-06-12 20:07 – Updated: 2026-06-16 03:55| URL | Tags |
|---|---|
| https://github.com/kovidgoyal/kitty/security/advi… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| kovidgoyal | kitty |
Affected:
< 0.47.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54057",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T03:55:59.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kitty",
"vendor": "kovidgoyal",
"versions": [
{
"status": "affected",
"version": "\u003c 0.47.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty\u0027s OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell\u0027s input without sanitization. Version 0.47.3 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T20:07:00.209Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kovidgoyal/kitty/security/advisories/GHSA-5gmr-9gwg-hhq6"
}
],
"source": {
"advisory": "GHSA-5gmr-9gwg-hhq6",
"discovery": "UNKNOWN"
},
"title": "Kitty vulnerable to command injection via unsanitized OSC 21 query reply"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54057",
"datePublished": "2026-06-12T20:07:00.209Z",
"dateReserved": "2026-06-11T18:24:35.096Z",
"dateUpdated": "2026-06-16T03:55:59.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6019 (GCVE-0-2026-6019)
Vulnerability from cvelistv5 – Published: 2026-04-22 19:28 – Updated: 2026-06-10 18:58- CWE-150 - Improper neutralization of escape, meta, or control sequences
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.13.14
(python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python) Affected: 3.15.0a1 , < 3.15.0b1 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T20:02:17.071906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:02:34.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.13.14",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.14.5rc1",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
},
{
"lessThan": "3.15.0b1",
"status": "affected",
"version": "3.15.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "oolongeya (https://github.com/komi22)"
},
{
"lang": "en",
"type": "coordinator",
"value": "Seth Larson (https://github.com/sethmlarson)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003ehttp.cookies.Morsel.js_output()\u003c/code\u003e returns an inline \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e snippet and only escapes \u003ccode\u003e\"\u003c/code\u003e for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003ccode\u003e\u0026lt;/script\u0026gt;\u003c/code\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"value": "http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence \u003c/script\u003e inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper neutralization of escape, meta, or control sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:58:07.798Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/148848"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/90309"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "BaseCookie.js_output() does not neutralize embedded characters",
"x_generator": {
"engine": "Vulnogram 0.6.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2026-6019",
"datePublished": "2026-04-22T19:28:08.720Z",
"dateReserved": "2026-04-09T15:35:00.668Z",
"dateUpdated": "2026-06-10T18:58:07.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8722 (GCVE-0-2026-8722)
Vulnerability from cvelistv5 – Published: 2026-06-03 23:45 – Updated: 2026-06-19 15:33| URL | Tags |
|---|---|
| https://www.cve.org/CVERecord?id=CVE-2026-46719 | related |
| https://www.cve.org/CVERecord?id=CVE-2026-46720 | related |
| Vendor | Product | Version | |
|---|---|---|---|
| TEAM | Net::Async::Statsd::Client |
Affected:
0 , ≤ 0.005
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T18:30:45.633771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T18:31:02.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Async-Statsd",
"product": "Net::Async::Statsd::Client",
"programRoutines": [
{
"name": "Net::Async::Statsd::Client::queue_stat"
}
],
"repo": "https://github.com/team-at-cpan/Net-Async-Statsd",
"vendor": "TEAM",
"versions": [
{
"lessThanOrEqual": "0.005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.\n\nThe metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T15:33:53.933Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections",
"workarounds": [
{
"lang": "en",
"value": "Ensure only trusted data is submitted to metrics."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8722",
"datePublished": "2026-06-03T23:45:27.353Z",
"dateReserved": "2026-05-16T01:26:22.806Z",
"dateUpdated": "2026-06-19T15:33:53.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases:
Description:
- Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation ID: MIT-28
Phase: Implementation
Strategy: Output Encoding
Description:
- While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation ID: MIT-20
Phase: Implementation
Strategy: Input Validation
Description:
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation
Phase: Implementation
Description:
- When using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about what to allow.
Mitigation
Phase: Build and Compilation
Description:
- When using an LLM: during tokenizer training, suppress escape codes from the tokenizer's vocabulary. Depending on context, this could be accomplished by removing the codes from input to the tokenizer, or removing the map from the string to its token ID. It is generally unlikely that this removal would adversely affect the quality or correctness of what is generated, e.g. advice requests for terminal settings to change colors.
CAPEC-134: Email Injection
An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.
CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.