Cyber Resilience

CVE-2026-50637

HighUpdated

Published: 10 June 2026

Published
10 June 2026
Modified
24 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0032 24.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-50637 is a high-severity CRLF Injection (CWE-93) vulnerability in Pevans Metrics\. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names…

more

or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CRLF/control char injection in metric names directly enables manipulation of transmitted StatsD metrics.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

pevans
metrics\
\

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References