CVE Daily
← All tags

Tag: Lua

All CVEs associated with "Lua". Page 2/3 • 320 CVEs.

Subscribe CVEs: RSS for “Lua”  ·  RSS (High+Critical only)

About “Lua”

A curated feed of “Lua”-related CVEs appears below. We currently track 320 CVEs for this tag (all time). In the last 365 days, 103 were published. Average CVSS is 7.7 (all time; 8.1 over 365d), and 75% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-125 - Out-of-bounds Read.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-02-12
High

CVE-2025-26369

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to us…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-26368

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups v…

CVSS: 8.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2025-26367

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary use…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2025-26366

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable fro…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-26365

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable fron…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-26364

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-26363

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an a…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2025-26362

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbi…

CVSS: 7.5 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26361

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory res…

CVSS: 9.1 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-26360

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delet…

CVSS: 5.3 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26359

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset us…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-26357

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP…

CVSS: 4.9 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
High

CVE-2025-26356

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensiti…

CVSS: 7.2 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
Medium

CVE-2025-26355

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTT…

CVSS: 6.5 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
High

CVE-2025-26354

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive fi…

CVSS: 7.2 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
Medium

CVE-2025-26353

A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

CVSS: 4.9 CWE: CWE-35 - Path Traversal: '.../...//' View on NVD
Medium

CVE-2025-26348

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.…

CVSS: 5.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2025-26347

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user pe…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2025-26346

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to versi…

CVSS: 5.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Critical

CVE-2025-26345

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user gr…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26344

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26342

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create a…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26341

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset ar…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Critical

CVE-2025-26339

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the devi…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2025-01-06
High

CVE-2024-46981

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code…

CVSS: 7.0 CWE: CWE-416 - Use After Free View on NVD
2024-12-06
High

CVE-2024-10776

Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or…

CVSS: 8.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2024-11-12
High

CVE-2024-36513

A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate thei…

CVSS: 8.2 CWE: CWE-270 - Privilege Context Switching Error View on NVD
2024-10-07
High

CVE-2024-31449

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potent…

CVSS: 7.0 CWE: CWE-20 - Improper Input Validation View on NVD
2024-09-16
High

CVE-2024-45416

The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates…

CVSS: 8.1 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
High

CVE-2024-45413

The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in rsa_decrypt function. This function is an API wrapper for LUA to decrypt RSA encrypted ciphertext, the decr…

CVSS: 8.1 CWE: CWE-121 - Stack-based Buffer Overflow View on NVD
2024-09-10
Medium

CVE-2024-45597

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbit…

CVSS: 5.3 CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') View on NVD
2024-08-16
High

CVE-2024-43395

CraftOS-PC 2 is a rewrite of the desktop port of CraftOS from the popular Minecraft mod ComputerCraft using C++ and a modified version of PUC Lua, as well as SDL for drawing. Prior to version 2.8.3,…

CVSS: 8.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-06-29
High

CVE-2024-39840

Factorio before 1.1.101 allows a crafted server to execute arbitrary code on clients via a custom map that leverages the ability of certain Lua base module functions to execute bytecode and generate…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2024-06-27
High

CVE-2024-39207

lua-shmem v1.0-1 was discovered to contain a buffer overflow via the shmem_write function.

CVSS: 8.2 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2024-05-20
High

CVE-2024-31714

Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before allows an attacker to cause a denial of service via the Lua library component.

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2024-05-01
Medium

CVE-2024-32973

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically…

CVSS: 4.8 CWE: CWE-284 - Improper Access Control View on NVD
2024-04-24
High

CVE-2024-33531

cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an enc header with the value A256GCM.

CVSS: 8.1 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2024-04-23
High

CVE-2024-31616

An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the co…

CVSS: 8.8 CWE: CWE-790 - Improper Filtering of Special Elements View on NVD
2024-04-16
High

CVE-2024-31446

OpenComputers is a Minecraft mod that adds programmable computers and robots to the game. A user can use OpenComputers to get a Computer thread stuck in the Lua VM, which eventually blocks the Server…

CVSS: 7.7 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2024-01-12
Critical

CVE-2023-50919

An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2023-12-30
Critical

CVE-2023-52252

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.

CVSS: 9.8 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2023-09-05
High

CVE-2023-4540

Improper Handling of Exceptional Conditions vulnerability in Daurnimator lua-http library allows Excessive Allocation and a denial of service (DoS) attack to be executed by sending a properly crafted…

CVSS: 7.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2023-07-13
High

CVE-2022-24834

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potential…

CVSS: 7.0 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2023-06-29
Critical

CVE-2023-34849

An unauthorized command injection vulnerability exists in the ActionLogin function of the webman.lua file in Ikuai router OS through 3.7.1.

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-06-19
Critical

CVE-2023-35853

In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the se…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-06-14
Low

CVE-2023-3040

A debug function in the lua-resty-json package, up to commit id 3ef9492bd3a44d9e51301d6adc3cd1789c8f534a (merged in PR #14) contained an out of bounds access bug that could have allowed an attacker t…

CVSS: 3.7 CWE: CWE-125 - Out-of-bounds Read View on NVD
2023-06-07
High

CVE-2023-34108

mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow w…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2023-05-22
High

CVE-2023-32350

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the v…

CVSS: 8.0 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2023-05-20
High

CVE-2023-32700

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be access…

CVSS: 7.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-05-08
Medium

CVE-2023-21404

AXIS OS 11.0.X - 11.3.x use a static RSA key in legacy LUA-components to protect Axis-specific source code. The static RSA key is not used in any other secure communication nor can it be used to comp…

CVSS: 5.3 CWE: CWE-321 - Use of Hard-coded Cryptographic Key View on NVD
2023-04-10
High

CVE-2021-45985

In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2023-04-04
Medium

CVE-2023-27496

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a `state` query para…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2023-27492

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the Lua filter is vulnerable to denial of service.…

CVSS: 4.8 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2023-03-27
High

CVE-2023-1143

In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.

CVSS: 8.8 CWE: N/A View on NVD
2023-03-26
High

CVE-2023-27796

RG-EW1200G PRO Wireless Routers EW_3.0(1)B11P204, RG-EW1800GX PRO Wireless Routers EW_3.0(1)B11P204, and RG-EW3200GX PRO Wireless Routers EW_3.0(1)B11P204 were discovered to contain multiple command…

CVSS: 8.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-03-22
Critical

CVE-2023-27224

An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file.

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-02-13
Critical

CVE-2023-23551

Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code.

CVSS: 9.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-02-12
Low

CVE-2020-36661

A vulnerability was found in Kong lua-multipart 0.5.8-1. It has been declared as problematic. This vulnerability affects the function is_header of the file src/multipart.lua. The manipulation leads t…

CVSS: 3.5 CWE: CWE-1333 - Inefficient Regular Expression Complexity View on NVD
2023-01-26
High

CVE-2022-40719

This vulnerability allows network-adjacent attackers to execute arbitrary commands on affected installations of D-Link DIR-2150 4.0.1 routers. Authentication is not required to exploit this vulnerabi…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2023-01-08
Medium

CVE-2022-4881

A vulnerability was found in CapsAdmin PAC3. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lua/pac3/core/shared/http.lua. The manipulation of the…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-08-15
High

CVE-2022-35978

Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu…

CVSS: 7.7 CWE: CWE-693 - Protection Mechanism Failure View on NVD
2022-08-03
High

CVE-2022-35158

A vulnerability in the lua parser of TscanCode tsclua v2.15.01 allows attackers to cause a Denial of Service (DoS) via a crafted lua script.

CVSS: 7.5 CWE: N/A View on NVD
2022-07-14
Critical

CVE-2022-28375

Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the crtcswitchsimprofile function of the crtcrpc JSON listener. A remote attacker on…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2022-28374

Verizon 5G Home LVSKIHP OutDoorUnit (ODU) 3.33.101.0 does not property sanitize user-controlled parameters within the DMACC URLs on the Settings page of the Engineering portal. An authenticated remot…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2022-28373

Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 does not properly sanitize user-controlled parameters within the crtcreadpartition function of the crtcrpc JSON listener in /usr/lib/lua/luci/crtc.…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
High

CVE-2022-28372

On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints provide a means of provisioning a firmware update for the device via cr…

CVSS: 7.5 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2022-07-01
High

CVE-2022-33099

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

CVSS: 7.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2022-06-23
High

CVE-2022-31395

Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2022-06-09
High

CVE-2022-29404

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size.

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
Critical

CVE-2022-28615

Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed…

CVSS: 9.1 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2022-04-27
Low

CVE-2022-24736

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will re…

CVSS: 3.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Low

CVE-2022-24735

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua…

CVSS: 3.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2022-04-20
High

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive infor…

CVSS: 7.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
2022-04-08
Critical

CVE-2022-28805

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles…

CVSS: 9.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
2022-03-30
Critical

CVE-2022-28223

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin.

CVSS: 9.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2022-03-28
Critical

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass th…

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2022-03-14
Medium

CVE-2021-44964

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.

CVSS: 6.3 CWE: CWE-416 - Use After Free View on NVD
2022-02-18
Critical

CVE-2022-0543

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CVSS: 10.0 CWE: CWE-862 - Missing Authorization View on NVD
2022-01-11
Medium

CVE-2021-44647

Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service.

CVSS: 5.5 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
2021-12-20
Critical

CVE-2021-44790

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerab…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2021-11-09
Medium

CVE-2021-43519

Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.

CVSS: 5.5 CWE: CWE-674 - Uncontrolled Recursion View on NVD
2021-10-04
Medium

CVE-2021-32672

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond t…

CVSS: 5.3 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to in…

CVSS: 7.5 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
2021-09-16
Critical

CVE-2020-14119

There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-08-24
High

CVE-2021-39156

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3…

CVSS: 8.1 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-39155

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 434…

CVSS: 8.3 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD
2021-07-30
High

CVE-2021-37601

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common co…

CVSS: 7.5 CWE: N/A View on NVD
2021-05-13
Medium

CVE-2021-32921

An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a…

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-32918

An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2021-04-06
Medium

CVE-2020-36309

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

CVSS: 5.3 CWE: N/A View on NVD
2021-03-21
High

CVE-2021-28961

applications/luci-app-ddns/luasrc/model/cbi/ddns/detail.lua in the DDNS package for OpenWrt 19.07 allows remote authenticated users to inject arbitrary commands via POST requests.

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-12-15
High

CVE-2020-25757

A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with r…

CVSS: 8.8 CWE: CWE-20 - Improper Input Validation View on NVD
2020-09-24
Medium

CVE-2020-3423

A vulnerability in the implementation of the Lua interpreter that is integrated in Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary code with root privileges on…

CVSS: 5.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2020-09-23
High

CVE-2019-15992

A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authentica…

CVSS: 7.2 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2020-09-04
Critical

CVE-2020-24987

Tenda AC18 Router through V15.03.05.05_EN and through V15.03.05.19(6318) CN devices could cause a remote code execution due to incorrect authentication handling of vulnerable logincheck() function in…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2020-08-17
Medium

CVE-2020-24371

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage.

CVSS: 5.3 CWE: CWE-763 - Release of Invalid Pointer or Reference View on NVD
Medium

CVE-2020-24370

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).

CVSS: 5.3 CWE: CWE-191 - Integer Underflow (Wrap or Wraparound) View on NVD
High

CVE-2020-24369

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference.

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2020-08-13
High

CVE-2020-24342

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.

CVSS: 7.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2020-08-05
Critical

CVE-2020-13151

Aerospike Community Edition 4.9.0.5 allows for unauthenticated submission and execution of user-defined functions (UDFs), written in Lua, as part of a database query. It attempts to restrict code exe…

CVSS: 9.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-07-24
Medium

CVE-2020-15945

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return…

CVSS: 5.5 CWE: N/A View on NVD
2020-07-21
Critical

CVE-2020-15889

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.

CVSS: 9.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2020-15888

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free.

CVSS: 8.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
2020-06-23
High

CVE-2020-14939

An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc2. Saved game files are composed of Lua scripts that recover a game's state. A file can be modified to put any Lua code inside, l…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2020-06-15
High

CVE-2020-14147

An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (me…

CVSS: 7.7 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2020-05-28
Medium

CVE-2019-20807

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

CVSS: 5.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-04-21
Critical

CVE-2020-11966

In IQrouter through 3.3.1, the Lua function reset_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can only o…

CVSS: 9.8 CWE: CWE-521 - Weak Password Requirements View on NVD
High

CVE-2020-11964

In IQrouter through 3.3.1, the Lua function diag_set_password in the web-panel allows remote attackers to change the root password arbitrarily. Note: The vendor claims that this vulnerability can onl…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2020-04-12
High

CVE-2020-11724

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

CVSS: 7.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
Critical

CVE-2020-11722

Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2020-03-07
High

CVE-2020-9470

An issue was discovered in Wing FTP Server 6.2.5 before February 2020. Due to insecure permissions when handling session cookies, a local user may view the contents of the session and session_admin d…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2020-02-27
Critical

CVE-2020-9434

openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.

CVSS: 9.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2020-9433

openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.

CVSS: 9.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2020-9432

openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.

CVSS: 9.1 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-02-11
Critical

CVE-2013-5945

Multiple SQL injection vulnerabilities in D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N,…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2020-02-06
Medium

CVE-2014-2875

The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NO…

CVSS: 6.1 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
Medium

CVE-2014-10400

The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was S…

CVSS: 6.1 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2014-10399

The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875.

CVSS: 6.1 CWE: CWE-384 - Session Fixation View on NVD
2020-01-31
Medium

CVE-2013-3565

Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command p…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2020-01-28
High

CVE-2013-4863

The HomeAutomationGateway service in MiCasaVerde VeraLite with firmware 1.5.408 allows (1) remote attackers to execute arbitrary Lua code via a RunLua action in a request to upnp/control/hag on port…

CVSS: 8.8 CWE: CWE-287 - Improper Authentication View on NVD