CVE-2026-11362 in DataDog::DogStatsdinfo

Summary

by MITRE • 06/05/2026

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

CPANSec

Reservation

06/05/2026

Disclosure

06/05/2026

Moderation

accepted

Entry

VDB-368937

CPE

ready

CWE

CWE-93 (confirmed)

CVSS

7.3 (VulDB)

EPSS

0.00000

KEV

Activities

low

Sector

Energy, Hostingprovider, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-11362
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-11362
CVE Details	https://www.cvedetails.com/cve/CVE-2026-11362/

◂ Previous Overview Next ▸

Want to know what is going to be exploited?

We predict KEV entries!