Astra Linux – Vulnerability in Redis

Redis is an open-source, in-memory database that persists data on disk. Versions 8.2.1 and earlier allow an authenticated user to use a specially crafted Lua script to cause an integer overflow, potentially leading to remote code execution. This issue exists in all versions of Redis that support...

Astra Linux – Vulnerability in Redis

Redis is an in-memory database that persists data on disk. By exploiting vulnerabilities in the Lua script execution environment, an attacker with access to Redis prior to versions 7.0.0 or 6.2.7 can inject Lua code that will execute with the potentially higher privileges of another Redis user. T...

Astra Linux – Vulnerability in Apache2

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch, especially when an extremely large input buffer is used. Although no code distributed with the server can be forced to make such a call, third-party modules or Lua scripts that us...

Astra Linux – Vulnerability in Redis

Redis is an open-source, in-memory database that persists data on disk. A authenticated user can use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. This issue exists in all versions of Redis that support L...

Astra Linux – Vulnerability in Redis

Redis is an open-source, in-memory database that persists data on disk. Versions 8.2.1 and earlier allow an authenticated user to use a specially crafted Lua script to read out-of-bounds data or cause the server to crash, resulting in a denial of service attack. This vulnerability exists in all...

CVE-2026-41873

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

CVE-2026-41873 Pony Mail: Admin account takeover via request smuggling

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

EUVD-2026-26065

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

CVE-2026-41873

Technical details are not publicly available in the provided documents; no concrete information on affected products, versions, root cause, or fixes is present. Monitor for updates.

Apache Pony Mail 环境问题漏洞

Apache Pony Mail is a plugin from the Apache Foundation in the United States that includes features for email archiving, viewing, and interaction. Apache Pony Mail has an environmental issue vulnerability, which stems from inconsistent interpretation of HTTP requests, potentially allowing...

PT-2026-35747

Name of the Vulnerable Software and Affected Versions Pony Mail Lua implementation affected versions not specified Description Inconsistent interpretation of HTTP requests, known as HTTP Request/Response Smuggling, allows for admin account takeover. This occurs when a front-end server and a...

Fedora 44 : libinput (2026-56fa441129)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-56fa441129 advisory. libinput 1.31.1, fixes Lua plugin sandbox escape CVE-2026-35093, CVE-2026-35094 Tenable has extracted the preceding description block directly from...

⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More

Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are. Most of it feels like stuff we should have fixed years ago. Bad...

Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software

Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. According to a new report published by SentinelOne, the previously undocumented cyber...

BIT-CONTOUR-2026-41246 Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

SUSE SLED15 / SLES15 Security Update : dnsdist (SUSE-SU-2026:1618-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1618-1 advisory. Update to version 1.9.12. - https://www.dnsdist.org/changelog.htmlchange-1.9.12 Security issues fixed: -...

EUVD-2026-25280

Contour has Lua code injection via Cookie Path Rewrite Policy...

GHSA-X4MJ-7F9G-29H4 Contour has Lua code injection via Cookie Path Rewrite Policy

Impact Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: -...

Contour has Lua code injection via Cookie Path Rewrite Policy

Impact Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: -...

Security update for dnsdist

This update for dnsdist fixes the following issues: Update to version 1.9.12. https://www.dnsdist.org/changelog.htmlchange-1.9.12 Security issues fixed: CVE-2026-0396: crafted DNS queries triggering domain-based dynamic rules can lead to HTML injection in the web dashboard bsc1261236...