Cyber Resilience

CVE-2026-9270

CriticalUpdated

Published: 05 June 2026

Published
05 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0033 25.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-9270 is a critical-severity CRLF Injection (CWE-93) vulnerability in Binary Datadog\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the…

more

metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Metric injection via unsanitized input (newlines/pipes/colons) in DogStatsd protocol directly enables manipulation of transmitted monitoring data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

binary
datadog\
\

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References