REFramework security vulnerabilities

REFramework is a scripting platform developed by PrayDog, the individual developer of the game. Versions of REFramework prior to 1.5.5 contained security vulnerabilities. These vulnerabilities stemmed from a heap buffer overflow in the Lua debugging component ldebug.c, which could allow arbitrary...

PT-2026-4893

Out-of-bounds Read vulnerability in praydog UEVR dependencies/lua/src modules. This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05...

GO-2026-4312 Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway

Envoy Extension Policy lua scripts injection causes arbitrary command execution in github.com/envoyproxy/gateway...

Ubuntu: Security Advisory (USN-7969-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Azure Linux 3.0 Security Update: redis / valkey (CVE-2024-31449)

The version of redis / valkey installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-31449 advisory. - Redis is an open source, in-memory database that persists on disk. An authenticated user May use a...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Dungeon Crawl Stone Stoup vulnerability (USN-7969-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-7969-1 advisory. David Mendenhall discovered that Dungeon Crawl Stone Soup was incorrectly handling Lua bytecode embedded in an uploaded .crawlrc file. An...

MiracleLinux 9 : redis-6.2.7-1.el9 (AXSA:2023-4604:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4604:01 advisory. redis: Code injection via Lua script execution environment CVE-2022-24735 redis: Malformed Lua script can crash Redis CVE-2022-24736 Tenable has...

MiracleLinux 8 : redis:5 (AXSA:2021-2497:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2497:01 advisory. redis: Lua scripts can overflow the heap-based Lua stack CVE-2021-32626 redis: Integer overflow issue with Streams CVE-2021-32627 redis: Integer...

MiracleLinux 8 : redis:6 (AXSA:2022-4434:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-4434:01 advisory. redis: Code injection via Lua script execution environment CVE-2022-24735 redis: Malformed Lua script can crash Redis CVE-2022-24736 Tenable has...

MiracleLinux 9 : lua-5.4.4-3.el9 (AXSA:2023-5344:03)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-5344:03 advisory. lua: heap buffer overread CVE-2022-28805 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory. Note that...

MiracleLinux 9 : redis:7 (AXSA:2025-11023:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-11023:01 advisory. redis: Lua library commands may lead to integer overflow and potential RCE CVE-2025-46817 Redis: Redis: Authenticated users can execute LUA scripts...

MiracleLinux 9 : redis:7 (AXSA:2024-9438:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-9438:01 advisory. redis: Redis SORTRO may bypass ACL configuration CVE-2023-41053 redis: possible bypass of Unix socket permissions on startup CVE-2023-45145 redis:...

MiracleLinux 9 : lua-5.4.4-2.el9 (AXSA:2023-5175:02)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-5175:02 advisory. lua: use after free allows Sandbox Escape CVE-2021-44964 lua: stack overflow in luaresume of ldo.c allows a DoS via a crafted script file...

MiracleLinux 8 : lua-5.3.4-12.el8 (AXSA:2021-2619:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2619:01 advisory. lua: segmentation fault in getlocal and setlocal functions in ldebug.c CVE-2020-24370 Tenable has extracted the preceding description block directly from the...

MiracleLinux 9 : lua-5.4.2-4.el9.3 (AXSA:2023-5088:01)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-5088:01 advisory. lua: heap buffer overflow in luaGerrormsg in ldebug.c due to uncontrolled recursion in error handling CVE-2022-33099 Tenable has extracted the preceding...

USN-7969-1: Dungeon Crawl Stone Stoup vulnerability

David Mendenhall discovered that Dungeon Crawl Stone Soup was incorrectly handling Lua bytecode embedded in an uploaded .crawlrc file. An attacker could possibly use this issue to execute arbitrary code...

USN-7969-1 crawl vulnerability

David Mendenhall discovered that Dungeon Crawl Stone Soup was incorrectly handling Lua bytecode embedded in an uploaded .crawlrc file. An attacker could possibly use this issue to execute arbitrary code...

CVE-2026-23742

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the default configuration -lua-sources=inline,file. An attacker can execute arbitrary code and access sensitive files by submitting malicious scripts when untrusted users are permitted to create lua filters...

Arbitrary Code Injection

Overview github.com/zalando/skipper is a HTTP router and reverse proxy for service composition Affected versions of this package are vulnerable to Arbitrary Code Injection via the default configuration -lua-sources=inline,file. An attacker can execute arbitrary code and access sensitive files by...