Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections. Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd. Newlines are not removed from metric names, allowing metric injections. Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Net::Statsite::Client through version 1.1.0 fails to sanitize metric names and values for newlines and protocol control characters, enabling attackers to inject arbitrary metrics into statsite monitoring systems. This vulnerability allows an attacker to manipulate monitoring data, inject false metrics, or potentially disrupt the statsite protocol stream by inserting newlines, colons, and pipes without validation. Organizations using this Perl client library to send metrics to statsite/statsd monitoring infrastructure are affected, particularly those processing untrusted metric data or accepting metric submissions from external sources. The critical CVSS score of 9.1 reflects the high impact of poisoning observability systems that security teams rely upon for threat detection and incident response.
While this CVE doesn't map to specific MITRE ATT&CK techniques in the traditional sense, Casky's Claude-powered analysis would detect this as a data manipulation attack pattern falling under techniques like T1565 (Data Manipulation) and T1040 (Traffic Redirection). Practitioners using Casky would observe findings focused on unsanitized input handling in protocol implementations, detecting patterns where newline characters (\n), colons (:), and pipes (|) bypass validation filters. Extended reasoning analysis would flag the attack chain: untrusted input → client library → protocol injection → false metric generation. Security teams would receive alerts on metric anomalies, suspicious protocol sequences, and validation bypass attempts, enabling rapid identification of exploitation attempts before monitoring integrity is compromised.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11373. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation