CVE-2026-43981

CVE-2026-43981 affects Algernon, a small self-contained Go web server. In versions prior to 1.17.6, a race condition exists in engine/luahandler.go: the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua’s LState is not goroutine-safe, ...

CVE-2026-43981 Algernon: Race Condition in handle() shared LState

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

CVE-2026-43981 Algernon: Race Condition in handle() shared LState

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

CVE-2026-43982 Algernon: Path traversal file write via savein()

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

algernon 竞争条件问题漏洞

Algernon is a web server developed by Alexander F. Rødseth. Versions of Algernon prior to 1.17.6 contained a race condition vulnerability. This vulnerability stemmed from the sync.RWMutex used in engine/luahandler.go to protect LoadCommonFunctions, which was released before L.Push and L.PCall...

PT-2026-43308

Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain or --letsencrypt, which silently turns on --domain at engine/flags.go:372, the request handler resolves the served directory by joining the configured --dir with the value of the...

PT-2026-47115

Stack overflow in lua resume of ldo.c in Lua Interpreter 5.1.05.4.4 allows attackers to perform a Denial of Service via a crafted script file...

📄 ZTE ZXHN Router Denial of Service

The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an upper bound on the body size of application/x-www-form-urlencoded POST requests. An unauthenticated attacker can crash or freeze the router's web management service by sending a single HTTP POST request with an oversized body...

PT-2026-43297

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

algernon 安全漏洞

Algernon is a web server developed by Alexander F. Rødseth. Versions of Algernon prior to 1.17.8 contained security vulnerabilities. These vulnerabilities stemmed from path traversal via the Host header when using the --domain option, potentially allowing arbitrary file reading, directory listing...

PT-2026-47117

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read...

PT-2026-47113

Lua 5.4.0 fixed in 5.4.1 has a segmentation fault in changedline in ldebug.c e.g., when called by luaG traceexec because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function...

PT-2026-47116

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.05.4.3 allows attackers to perform Sandbox Escape via a crafted script file...

PT-2026-43298

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn in lua/upload/upload.go uses filepath.Join with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This...

PT-2026-47119

An issue in the component luaG runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs...

PT-2026-47114

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal3,2^31...

PT-2026-47118

singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaK exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code...

Exploit for Improper Neutralization of Null Byte or NUL Character in Wftpserver Wing_Ftp_Server

CVE-2025-47812 — Wing FTP Server Unauth RCE rewrite Python...

COORG_EXECUTOR

🚀 COORG-EXECUTOR - Professional Roblox Script Executor for...

CLSA-2026-1779351595 Fix CVE(s): CVE-2026-23631

SECURITY UPDATE: Use-after-free in readSyncBulkPayload during fullsync - debian/patches/0015-CVE-2026-23631.patch: guard readSyncBulkPayload in src/replication.c with an early return when server.luatimedout is set, so a fullsync cannot free the Lua scripting engine while a timed-out script is sti...