Cyber Resilience

CVE-2026-50638

CriticalUpdated

Published: 10 June 2026

Published
10 June 2026
Modified
24 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0034 26.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-50638 is a critical-severity CRLF Injection (CWE-93) vulnerability in Pevans Metrics\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics, separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability.…

more

In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

CRLF/control char injection in statsd adapter directly enables metric tampering over transmitted data and exploitation of apps using the library.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

pevans
metrics\
\

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References