Cyber Resilience

CVE-2026-8788

High

Published: 18 May 2026

Published
18 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0023 13.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8788 is a high-severity CRLF Injection (CWE-93) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar…

more

issue CVE-2026-46719 for metric names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Metric injection via untrusted input to set_add enables manipulation of transmitted StatsD data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33128Shared CWE-93
CVE-2026-39849Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-39983Shared CWE-93
CVE-2026-5140Shared CWE-93
CVE-2026-34975Shared CWE-93
CVE-2026-32993Shared CWE-93
CVE-2026-41230Shared CWE-93
CVE-2026-1714Shared CWE-93
CVE-2026-39958Shared CWE-93

Affected Assets

Lite
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References