CVE-2026-4745
Received Received - Intake
Code Injection in perf-ninja ldo.C Module Risks Execution

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C. This issue affects perf-ninja.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4745
EUVD
EUVD-2026-14744
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dendibakh perf-ninja to 2025-06-15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4745 is a code injection vulnerability in the perf-ninja project, specifically in the dendibakh perf-ninja's labs/misc/pgo/lua modules related to the program file ldo.C."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the ability of a cloned function named f_parser() to load Lua bytecode, which can be exploited to inject malicious code.'}, {'type': 'paragraph', 'content': 'The security fix involved disabling the loading of Lua bytecode within this function to prevent exploitation, similar to a prior fix in the Redis project.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to perform code injection by exploiting the ability to load Lua bytecode in the vulnerable function.'}, {'type': 'paragraph', 'content': "Successful exploitation could lead to arbitrary code execution, potentially compromising the affected system's integrity, confidentiality, and availability."}, {'type': 'paragraph', 'content': 'Given the CVSS base score of 10.0, this is a critical vulnerability that can be exploited remotely without any privileges or user interaction.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, the key step is to apply the security fix that disables the loading of Lua bytecode in the f_parser() function within the perf-ninja project.

This fix prevents exploitation of the code injection vulnerability by eliminating the ability to load potentially malicious Lua bytecode.

Ensure your perf-ninja installation is updated to include the patch merged on June 15, 2025, which addresses this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart