cvedb.io
CVE-2026-9270
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-06-05T16:16:41.780 · Last modified 2026-06-17T11:04:59.553

Summary

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a ta

Affected products

binary — datadog\

Does this affect you?

Add your gear to cvedb and we'll alert you only when binary ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.