[oss-security] CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections

[Robert Rothenberg]

========================================================================
CVE-2026-46740                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-46740
  Distribution:  Mojolicious-Plugin-Statsd
      Versions:  through 0.04

      MetaCPAN: https://metacpan.org/dist/Mojolicious-Plugin-Statsd
      VCS Repo: https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd


Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed
metric injections

Description
-----------
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed
metric injections.

The metric names and set values were not checked for newlines, colons
or pipes. Metrics generated from untrusted sources could inject
additional statsd metrics.

Version 0.06 changes the module from being a statsd client to using a
separate statsd client. It defaults to using a version of
Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).

Problem types
-------------
- CWE-93 Improper Neutralization of CRLF Sequences

Solutions
---------
Upgrade to Mojolicious::Plugin::Statsd version 0.06 or later.


References
----------
https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes
https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch
https://www.cve.org/CVERecord?id=CVE-2026-46720