3322 matches found
[SECURITY] Fedora 42 Update: luajit-2.1.1748459687-2.fc42
LuaJIT implements the full set of language features defined by Lua 5.1. The virtual machine VM is API- and ABI-compatible to the standard Lua interpreter and can be deployed as a drop-in replacement...
CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according to Huntress. The vulnerability, tracked as CVE-2025-47812 CVSS score: 10.0, is a case of improper handling of null '\0' bytes in the server's web interface,...
CBL Mariner 2.0 Security Update: lua / memcached / ntopng (CVE-2021-44964)
The version of lua / memcached / ntopng installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-44964 advisory. - Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.05.4.3...
Wing FTP Server < 7.4.4 Multiple Vulnerabilities
The remote FTP server is running a version of Wing FTP Server earlier than 7.4.4. It is, therefore, affected by multiple vulnerabilities, as follows: - In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into...
CVE-2025-34095
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute code, which is then persisted on...
CVE-2025-34095
An OS command injection exists in Real Time Logic Mako Server v2.5 and v2.6 via the examples/save.lsp tutorial interface. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is persisted on disk and later executed when a GET is issued to ex...
CVE-2025-34095 Mako Server v2.5 and v2.6 OS Command Injection via examples/save.lsp
An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute code, which is then persisted on...
CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
CLSA-2025-1752126532 httpd: Fix of 2 CVEs
CVE-2014-8109: modlua: fix LuaAuthzProvider argument handling issue - CVE-2019-10092: modproxy: fix limited cross-site scripting in modproxy error page...
EUVD-2025-21009
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
VulnCheck KEV: CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
CVE-2025-47812
In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service root or SYSTEM by default. This is thu...
CVE-2025-47812
CVE-2025-47812 is a remote code execution vulnerability in Wing FTP Server, affecting versions before 7.4.4. The root cause is improper handling of null bytes ('\0') in user/admin web interfaces, allowing injection of arbitrary Lua code into user session files. The injected code can execute comma...
CLSA-2025-1752089153 redis: Fix of CVE-2024-31449
CVE-2024-31449: fix stack buffer overflow in bit library triggered by Lua script execution...
SUSE CVE-2024-25178
LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an out-of-bounds read in the stack-overflow handler in ljstate.c...
Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)
Wing FTP Server allows arbitrary Lua code injection via a NULL-byte %00 truncation bug CVE-2025-47812. Supplying %00 as the username makes the C++ authentication routine validate only the prefix, while the full string is written unfiltered into the session file and later executed with root/SYSTEM...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the stack-overflow handler in ljstate.c. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Commit - GitHub Gist - GitHub Issue Credit: Kutyavin Maxim...