Envoy Extension Policy lua scripts injection causes arbitrary command execution

Impact Envoy Gateway allows users to create Lua scripts that are executed by Envoy proxy using the EnvoyExtensionPolicy resource. Administrators can use Kubernetes RBAC to grant users the ability to create EnvoyExtensionPolicy resources. Lua scripts in policies are executed in two contexts: An...

GHSA-XRWG-MQJ6-6M22 Envoy Extension Policy lua scripts injection causes arbitrary command execution

Impact Envoy Gateway allows users to create Lua scripts that are executed by Envoy proxy using the EnvoyExtensionPolicy resource. Administrators can use Kubernetes RBAC to grant users the ability to create EnvoyExtensionPolicy resources. Lua scripts in policies are executed in two contexts: An...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the EnvoyExtensionPolicy resource. An attacker can execute arbitrary commands and access sensitive credentials by injecting malicious Lua scripts. This can lead to privilege escalation, theft of secrets, and...

EUVD-2026-2007

Envoy Extension Policy lua scripts injection causes arbitrary command execution...

CVE-2026-0499

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal...

PT-2026-3195

Name of the Vulnerable Software and Affected Versions versions prior to 2025 affected versions not specified Description An authenticated user with standard operating system privileges could modify TCL Macro scripts. Successful exploitation may lead to privilege escalation to the operating system...

PT-2026-2495

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft32, '0' when it should use padLeft64, '0' because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2...

Spring AI Agentic Patterns (Part 1): Agent Skills - Modular, Reusable Capabilities

Agent Skills are modular folders of instructions, scripts, and resources that AI agents can discover and load on demand. Instead of hardcoding knowledge into prompts or creating specialized tools for every task, skills provide a flexible way to extend agent capabilities. Spring AI's implementatio...

PT-2026-2422

Name of the Vulnerable Software and Affected Versions Jetpack version 11.4 Description The software contains a cross-site scripting issue within the contact form module. An attacker can inject malicious scripts through the post id parameter. By crafting malicious URLs with script payloads, an...

MiracleLinux 8 : redis:6 (AXSA:2025-11019:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2025-11019:01 advisory. redis: Lua library commands may lead to integer overflow and potential RCE CVE-2025-46817 Redis: Redis: Authenticated users can execute LUA scripts...

PT-2026-2493

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP Optimal Asymmetric Encryption Padding. This vulnerability is fixed in 2.2...

CVE-2026-22799 emlog Arbitrary File Upload Vulnerability

Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint /index.php?rest-api=upload for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers with a valid API key ...

CVE-2026-22771

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communica...

CVE-2026-22771 Envoy Extension Policy lua scripts injection causes arbitrary command execution

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communica...

CVE-2026-22771 Envoy Extension Policy lua scripts injection causes arbitrary command execution

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be used to communica...

Stored Cross-Site Scripting (XSS)

n8n is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sandbox enforcement when the “Respond to Webhook” node returns HTML content with executable scripts, which allows an attacker with workflow creation privileges to execute arbitrary JavaScript in the context...

GYM-MANAGEMENT-SYSTEM 安全漏洞

GYM-MANAGEMENT-SYSTEM is a gym management system by Abhishek S Personal Developer. A security vulnerability exists in GYM-MANAGEMENT-SYSTEM version 1.0, which stems from the unvalidated name parameter in membersearch.php, trainersearch.php, and gymsearch.php, and the id parameter in...

PT-2026-2290

Name of the Vulnerable Software and Affected Versions Envoy Gateway versions prior to 1.5.7 Envoy Gateway versions prior to 1.6.2 Description Envoy Gateway is an open source project for managing Envoy Proxy. EnvoyExtensionPolicy Lua scripts executed by the proxy can be used to leak the proxy's...

PT-2026-2311

Name of the Vulnerable Software and Affected Versions Emlog versions prior to 2.6.1 Description Emlog is a website building system. Versions prior to 2.6.1 expose a REST API endpoint '/index.php?rest-api=upload' for media file uploads. This endpoint does not properly validate file types,...

Cross-site Scripting (XSS)

Overview @questdb/web-console is a QuestDB Web Console Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Web Console component. An attacker can inject and execute arbitrary scripts by submitting crafted input that is not properly sanitized. Details Cross-site...