PT-2026-2290

Name of the Vulnerable Software and Affected Versions Envoy Gateway versions prior to 1.5.7 Envoy Gateway versions prior to 1.6.2 Description Envoy Gateway is an open source project for managing Envoy Proxy. EnvoyExtensionPolicy Lua scripts executed by the proxy can be used to leak the proxy's...

Envoy Gateway 代码注入漏洞

Envoy Gateway is an Envoy Proxy open source that uses the Envoy agent as a gateway for standalone or Kubernetes-based applications. A code injection vulnerability exists in Envoy Gateway versions prior to 1.5.7 and prior to 1.6.2 that stems from the EnvoyExtensionPolicy Lua script that could...

Security update of valkey (critical)

openSUSE security update: security update of valkey ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20003-1 Rating: critical References: bsc1250995 Cross-References: CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844 CVSS scores:...

POC-APISIX-RCE

Apache APISIX - Remote Code Execution Admin API script inject...

PoC-Apisix

PoC-Apisix RCE via serverless-pre-function plugin when Admi...

CVE-2022-35158

A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service DoS via a crafted lua script...

CVE-2024-39207

lua-shmem v1.0-1 was discovered to contain a buffer overflow via the shmemwrite function...

CVE-2018-4031

An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without...

PT-2026-1871

Name of the Vulnerable Software and Affected Versions GL.Inet AX1800 versions 4.6.4 through 4.6.8 Description The LuCI web interface on GL.Inet AX1800 devices lacks rate limiting or account lockout mechanisms on the authentication endpoint /cgi-bin/luci. This allows an unauthenticated attacker on...

OPENSUSE-SU-2026:20003-1 Security update of valkey

This update for valkey fixes the following issues: Update to 8.0.6: - Security fixes: - CVE-2025-49844: Fixed that a Lua script may lead to remote code execution bsc1250995 - CVE-2025-46817: Fixed that a Lua script may lead to integer overflow and potential RCE bsc1250995 - CVE-2025-46818: Fixed...

Unity Linux 20.1060e / 20.1070e Security Update: httpd (UTSA-2026-000182)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000182 advisory. The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using...

PT-2026-29247

Name of the Vulnerable Software and Affected Versions DNSdist affected versions not specified Description An attacker may be able to trigger a use-after-free condition by sending specially crafted DNS queries to DNSdist when using custom Lua code. This occurs through the DNSQuestion:getEDNSOption...

PT-2026-29246

Name of the Vulnerable Software and Affected Versions DNSdist affected versions not specified Description An attacker could trigger an out-of-bounds write by sending crafted DNS responses to DNSdist. This is possible when utilizing the DNSQuestion:changeName or DNSResponse:changeName methods with...

PT-2026-29243

Name of the Vulnerable Software and Affected Versions Versions prior to 2026 affected versions not specified Description An attacker could potentially trigger an out-of-bounds read by sending a specially crafted DNS response packet. This occurs when custom Lua code utilizes the newDNSPacketOverla...

Unity Linux 20.1070e Security Update: syslinux (UTSA-2025-993338)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993338 advisory. ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal3,2^31. Tenable has extracted the...

[SECURITY] [DLA 4428-1] mediawiki security update

Debian LTS Advisory DLA-4428-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin December 30, 2025 https://wiki.debian.org/LTS Package : mediawiki Version : 1:1.35.13-1+deb11u6 CVE ID : CVE-2025-67475 CVE-2025-67478 CVE-2025-67479 CVE-2025-67480 CVE-2025-67481...

VulnCheck KEV: CVE-2025-49844

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all...

Honeywell Multiple Industrial Printers Improper Privilege Management (CVE-2017-5671)

Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 industrial printers before 10.11.013310 and 10.12.x before 10.12.013309 have /usr/bin/lua installed setuid to the itadmin account, which allows local users to conduct a BusyBox jailbreak attack and obtain root privileges by overwriti...

CVE-2025-56120

OS Command Injection vulnerability in Ruijie X60 PRO X6010212014RG-X60 PRO V1.00/V2.00 allowing attackers to execute arbitrary commands via a crafted POST request to the moduleset in file /usr/local/lua/devconfig/configretain.lua...

CVE-2025-56083

OS Command Injection vulnerability in Ruijie X30-PRO X30-PRO-V109241521 allowing attackers to execute arbitrary commands via a crafted POST request to the moduleset in file /usr/local/lua/devsta/nbrnetworkIdmerge.lua...