Apache Kvrocks 2.2.0-2.15.0 Remote Code Execution Vulnerability
CVE-2026-46751 Published on June 25, 2026
Apache Kvrocks: Does not remove the unsafe loadstring function from its Lua sandbox, allowing a user who can run EVAL scripts to load crafted, unvalidated bytecode that crashes the server process, resulting in a remote denial of service.
A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.2.0 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Products Associated with CVE-2026-46751
Want to know whenever a new CVE is published for Apache Kvrocks? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Kvrocks:- Version 2.2.0, <= 2.15.0 is affected.