CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

SUSE SLES15 Security Update : redis7 (SUSE-SU-2026:2100-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2100-1 advisory. This update for redis7 fixes the following issues - CVE-2026-23631: Lua use-after-free via the master-replica synchronization...

ZTE H298A / H108N - Unauthenticated Credential Exposure

Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure via ETHCheat Parameter Date: 2026-05-20 Exploit Author: Mina Nageh Salalma Monx Research Vendor Homepage: https://www.zte.com.cn Software Link:...

Security update for redis7

This update for redis7 fixes the following issues CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to remot...

SUSE-SU-2026:2100-1 Security update for redis7

This update for redis7 fixes the following issues - CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. - CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to...

SUSE-SU-2026:2097-1 Security update for redis7

This update for redis7 fixes the following issues - CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. - CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to...

Security update for redis7

This update for redis7 fixes the following issues CVE-2026-23631: Lua use-after-free via the master-replica synchronization mechanism may lead to remote code execution bsc1264165. CVE-2026-25243: invalid memory access in RESTORE command via a specially crafted serialized payload may lead to remot...

Arbitrary Code Injection

Contour is vulnerable to Arbitrary Code Injection. The vulnerability is due to insufficient sanitization of user-controlled values in cookieRewritePolicies.pathRewrite.value, where values are interpolated into Envoy HTTP Lua filter code using Go text/template, allowing attackers with HTTPProxy...

Amazon Linux 2023 : valkey, valkey-devel (ALAS2023-2026-1748)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1748 advisory. Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from processCommandAndResetClient when re-executing ...

JLSEC-2026-555

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal3,2^31...

JLSEC-2026-557

Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service...

JLSEC-2026-558

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.05.4.3 allows attackers to perform Sandbox Escape via a crafted script file...

JLSEC-2026-561

An issue in the component luaGrunerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs...

JLSEC-2026-553

Lua 5.3.5 has a use-after-free in luaupvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships...

JLSEC-2026-556

Stack overflow in luaresume of ldo.c in Lua Interpreter 5.1.05.4.4 allows attackers to perform a Denial of Service via a crafted script file...

JLSEC-2026-559

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read...

JLSEC-2026-560

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the handle process due to the sync.RWMutex being released before L.Push and L.PCall execute. An attacker can cause Lua VM corruption or unpredictable server behavior by making concurrent requests that race on the share...

Race Condition

Overview github.com/xyproto/algernon/engine is a Affected versions of this package are vulnerable to Race Condition. in the handle process due to the sync.RWMutex being released before L.Push and L.PCall execute. An attacker can cause Lua VM corruption or unpredictable server behavior by making...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Host header when the server is running in --domain mode. An attacker can access files and execute Lua scripts from the parent directory by supplying a specially crafted Host header value. Details A Directory...