Lucene search
K

3340 matches found

OSV
OSV
added 2026/07/02 8:46 p.m.2 views

GHSA-MM6C-5J6X-HQ8M Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...

8.7CVSS5.9AI score0.00077EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-55477

Name of the Vulnerable Software and Affected Versions Algernon version 1.17.8 Description On Windows hosts using the NTFS filesystem, an unauthenticated client can retrieve the raw source code of server-side scripts such as .lua, .tl, .po2, .amber, or .frm located on public paths. This occurs...

8.7CVSS6.1AI score0.00077EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/30 9:46 a.m.7 views

redis: Remote code execution via use-after-free in Lua scripting

A flaw was found in Redis, an in-memory data structure store. An authenticated attacker can exploit a use-after-free vulnerability in redis-server with Lua scripting. This occurs through the master-replica synchronization mechanism on replicas where replica-read-only is disabled or can be disable...

8.8CVSS5.7AI score0.01782EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/06/30 9:46 a.m.10 views

Important: Red Hat Security Advisory: redis:7 security update

An update for the redis:7 module is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

8.8CVSS6.3AI score0.01782EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 6:16 p.m.8 views

CVE-2026-47206

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS0.00283EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 4:39 p.m.35 views

CVE-2026-47206 Dragonfly: RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS0.00283EPSS
Exploits0References3
CVE
CVE
added 2026/06/26 4:39 p.m.21 views

CVE-2026-47206

Dragonfly is an in-memory store. Before version 1.39.9, it is vulnerable to RESP protocol injection via Lua redis.error_reply() in EvalSerializer, allowing an authenticated user to inject arbitrary RESP messages into the connection’s response stream and potentially desynchronize responses for con...

2.3CVSS5.9AI score0.00283EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 10:34 p.m.4 views

GO-2026-5738 Contour has Lua code injection via Cookie Path Rewrite Policy in github.com/projectcontour/contour

Contour has Lua code injection via Cookie Path Rewrite Policy in github.com/projectcontour/contour...

8.1CVSS5.9AI score0.00481EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/25 9:31 a.m.6 views

EUVD-2026-39332

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

10CVSS5.9AI score0.00395EPSS
Exploits0References2
NVD
NVD
added 2026/06/25 9:16 a.m.6 views

CVE-2026-46752

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

10CVSS0.00395EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 8:1 a.m.28 views

CVE-2026-46751 Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.

A vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

5.5CVSS0.00324EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 8:1 a.m.11 views

CVE-2026-46751

CVE-2026-46751 affects Apache Kvrocks (2.2.0–2.15.0). The root cause is that Kvrocks does not remove the unsafe loadstring function from its Lua sandbox, enabling a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of...

5.5CVSS5.8AI score0.00324EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 8:0 a.m.15 views

CVE-2026-46752

CVE-2026-46752 describes a Redis Lua HEAP overflow in the cjson library used by Apache Kvrocks. Affected versions are Kvrocks 2.0.4 through 2.15.0. The issue’s root cause is a heap overflow in Lua-related handling within cjson, leading to a high-severity impact. Kvrocks users should upgrade to ve...

10CVSS5.9AI score0.00395EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 8:0 a.m.33 views

CVE-2026-46752 Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

10CVSS0.00395EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 9:49 p.m.15 views

EUVD-2026-31881

Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir...

8.2CVSS5.8AI score0.00335EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 9:49 p.m.3 views

GHSA-JC3J-X6PG-4HMV Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir

Summary When algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join wit...

8.2CVSS6.3AI score0.00335EPSS
Exploits0References3
OSV
OSV
added 2026/06/18 9:28 p.m.5 views

MGASA-2026-0225 Updated luajit packages fix security vulnerabilities

In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and options are mishandled. CVE-2019-19391 LuaJIT through 2.1.0-beta3 h...

9.8CVSS6.9AI score0.01469EPSS
Exploits4References4
Rockylinux
Rockylinux
added 2026/06/17 12:3 p.m.8 views

valkey security update

An update is available for valkey. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Valkey is an advanced key-value store. It is often referred to as a data...

8.8CVSS6.8AI score0.02995EPSS
Exploits4
OSV
OSV
added 2026/06/17 12:3 p.m.8 views

RLSA-2026:25925 Important: valkey security update

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing s...

8.8CVSS6.4AI score0.02995EPSS
Exploits4References4
RedHat Linux
RedHat Linux
added 2026/06/17 10:41 a.m.8 views

redis: Remote code execution via use-after-free in Lua scripting

A flaw was found in Redis, an in-memory data structure store. An authenticated attacker can exploit a use-after-free vulnerability in redis-server with Lua scripting. This occurs through the master-replica synchronization mechanism on replicas where replica-read-only is disabled or can be disable...

8.8CVSS5.5AI score0.01782EPSS
Exploits0References6
Rows per page
Query Builder