CVE-2026-41246: Contour Envoy Lua Injection
Dynamically constructing Envoy Lua filter scripts via string interpolation or templates allows Lua code injection. User-controlled values injected into the script source can execute arbitrary code within the proxy. Configure static Lua scripts and pass dynamic variables through Envoy's `FilterContext` or stream data instead.
greprules fetch cve-2026-41246-contour-envoy-lua-injection --engine opengrepDescription
Dynamically constructing Envoy Lua filter scripts via string interpolation or templates allows Lua code injection. User-controlled values injected into the script source can execute arbitrary code within the proxy. Configure static Lua scripts and pass dynamic variables through Envoy's `FilterContext` or stream data instead.
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.