PT-2026-43298

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

PT-2026-47119

An issue in the component luaG runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs...

PT-2026-43308

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.8 Description When started with the --domain flag or the --letsencrypt flag which enables --domain automatically, the request handler resolves the served directory by joining the configured --dir with the value ...

Exploit for Improper Neutralization of Null Byte or NUL Character in Wftpserver Wing_Ftp_Server

CVE-2025-47812 — Wing FTP Server Unauth RCE rewrite Python...

COORG_EXECUTOR

🚀 COORG-EXECUTOR - Professional Roblox Script Executor for...

CLSA-2026-1779351595 Fix CVE(s): CVE-2026-23631

SECURITY UPDATE: Use-after-free in readSyncBulkPayload during fullsync - debian/patches/0015-CVE-2026-23631.patch: guard readSyncBulkPayload in src/replication.c with an early return when server.luatimedout is set, so a fullsync cannot free the Lua scripting engine while a timed-out script is sti...

CLSA-2026-1777976277 Fix CVE(s): CVE-2022-24834

SECURITY UPDATE: Integer overflow in Lua cmsgpack library - debian/patches/CVE-2022-24834.patch: partial backport hardening deps/lua/src/luacmsgpack.c against integer overflows in mpbufappend and the encode/decode helpers cmsgpack-only; the cjson half of the upstream fix is dead code under...

Astra Linux - уязвимость в lua5.3

In Lua 5.3.5, there is a use-after-free issue in the luaupvaluejoin function in the lapi.c file. For example, an attacker can trigger a debug.upvaluejoin call, resulting in a crash, if they can establish certain relationships between the arguments passed to the function...

Astra Linux - уязвимость в apache2

A carefully crafted request body can cause a buffer overflow in the modlua multipart parser r:parsebody called from Lua scripts. The Apache httpd team is not aware of an exploit for this vulnerability, but it might be possible to create one. This issue affects Apache HTTP Server 2.4.51 and earlie...

Astra Linux - уязвимость в redis

It was discovered that Redis, a persistent key-value database, due to a packaging issue, is susceptible to a Lua sandbox escape that is specific to Debian. This could lead to remote code execution...

Astra Linux - уязвимость в lua5.3

The ldebug.c file in Lua 5.4.0 allows for a negation overflow and segmentation fault in getlocal and setlocal functions, as demonstrated by getlocal3,2^31...

Astra Linux – Vulnerability in Redis

Redis is an open-source, in-memory database that persists data on disk. A authenticated user may use a specially crafted Lua script to manipulate the garbage collector, potentially leading to remote code execution. This issue has been fixed in versions 7.4.2, 7.2.7, and 6.2.17. An additional...

📄 ZTE ZXHN H298A 1.1 / H108N 2.6 Unauthenticated Credential Disclosure

ZTE ZXHN H298A 1.1 and H108N 2.6 suffer from an unauthenticated credential exposure vulnerability via the ETHCheat parameter in getpage.lua. Title: ZTE ZXHN H298A 1.1 / H108N 2.6 - Unauthenticated Credential Exposure ETHCheat Parameter Date: 2026-05-20 Author: Mina Nageh Salalma Monx Research CVE...

Algernon: handler.lua discovery walks parent directories above the server root

Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...

OPENSUSE-SU-2026:20776-1 Security update for valkey

This update for valkey fixes the following issues - CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. - CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788. - CVE-2026-23479: use-after-free in unblock client...

SUSE-SU-2026:21814-1 Security update for valkey

This update for valkey fixes the following issues - CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. - CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788. - CVE-2026-23479: use-after-free in unblock client...

Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations

A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons testing simulations. According to Broadcom-owned Symantec and Carbon Black teams, the pre-Stuxnet tool was engineered to corrupt uranium-compression simulations...

[SECURITY] Fedora 42 Update: valkey-8.0.9-1.fc42

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing s...

[SECURITY] Fedora 43 Update: valkey-8.1.7-1.fc43

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing s...

[SECURITY] [DSA 6279-1] redis security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6279-1 [email protected] https://www.debian.org/security/ Aron Xu May 17, 2026 https://www.debian.org/security/faq - -------------------------------------------------------------------------...