CVE-2026-4745
Code Injection in perf-ninja ldo.C Module Risks Execution
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dendibakh | perf-ninja | to 2025-06-15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4745 is a code injection vulnerability in the perf-ninja project, specifically in the dendibakh perf-ninja's labs/misc/pgo/lua modules related to the program file ldo.C."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the ability of a cloned function named f_parser() to load Lua bytecode, which can be exploited to inject malicious code.'}, {'type': 'paragraph', 'content': 'The security fix involved disabling the loading of Lua bytecode within this function to prevent exploitation, similar to a prior fix in the Redis project.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to perform code injection by exploiting the ability to load Lua bytecode in the vulnerable function.'}, {'type': 'paragraph', 'content': "Successful exploitation could lead to arbitrary code execution, potentially compromising the affected system's integrity, confidentiality, and availability."}, {'type': 'paragraph', 'content': 'Given the CVSS base score of 10.0, this is a critical vulnerability that can be exploited remotely without any privileges or user interaction.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the key step is to apply the security fix that disables the loading of Lua bytecode in the f_parser() function within the perf-ninja project.
This fix prevents exploitation of the code injection vulnerability by eliminating the ability to load potentially malicious Lua bytecode.
Ensure your perf-ninja installation is updated to include the patch merged on June 15, 2025, which addresses this issue.