{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4745", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:27:05.370Z", "datePublished": "2026-03-24T03:27:30.756Z", "dateUpdated": "2026-03-24T18:22:15.123Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:27:30.756Z"}, "title": "Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "affected": [{"vendor": "dendibakh", "product": "perf-ninja", "collectionURL": "https://github.com/dendibakh/perf-ninja", "modules": ["labs/misc/pgo/lua"], "programFiles": ["ldo.c"], "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C.\n\nThis issue affects perf-ninja.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules).<p> This vulnerability is associated with program files ldo.C.</p><p>This issue affects perf-ninja.</p>"}]}], "references": [{"url": "https://github.com/dendibakh/perf-ninja/pull/129", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "ATTACKED", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:D/RE:L/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:22:03.222411Z", "id": "CVE-2026-4745", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:22:15.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4745", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T18:22:03.222411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:22:11.921Z"}}], "cna": {"title": "Arbitrary Code Execution via Crafted Bytecode in dendibakh/perf-ninja", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 10, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "ATTACKED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "dendibakh", "modules": ["labs/misc/pgo/lua"], "product": "perf-ninja", "versions": [{"status": "affected", "version": "0"}], "programFiles": ["ldo.c"], "collectionURL": "https://github.com/dendibakh/perf-ninja", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/dendibakh/perf-ninja/pull/129", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C.\n\nThis issue affects perf-ninja.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules).<p> This vulnerability is associated with program files ldo.C.</p><p>This issue affects perf-ninja.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:27:30.756Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4745", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:22:15.123Z", "dateReserved": "2026-03-24T03:27:05.370Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:27:30.756Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in dendibakh perf-ninja (labs/misc/pgo/lua modules). This vulnerability is associated with program files ldo.C.\n\nThis issue affects perf-ninja."}], "id": "CVE-2026-4745", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "ATTACKED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T05:16:25.777", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/dendibakh/perf-ninja/pull/129"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "perf-ninja", "source": "cna", "vendor": "dendibakh"}, "product": "perf-ninja", "vendor": "dendibakh"}], "analysis": {"en": {"generated_at": "2026-03-24T05:21:22.051915+00:00", "value": {"mitigation_remediation": ["Merge the fix from pull request 129 into your perf\u2011ninja deployment to replace the vulnerable ldo.C module"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is dendibakh's perf\u2011ninja, specifically the Lua modules under labs/misc/pgo/lua. No specific version numbers are listed in the CNA data; the issue appears in the current codebase as referenced in pull request 129.", "description_and_impact": "This vulnerability represents an improper control over code generation, allowing an attacker to hijack the Lua interpreter by injecting crafted bytecode. The result is arbitrary code execution within the context of the perf-ninja application, potentially compromising confidentiality, integrity, and availability of the entire system. The weakness is classified as CWE\u201194, which confirms that code injection can occur when untrusted input is used to generate or execute program code.", "risk_and_exploitability": "The CVSS score of 10 indicates a critical level of risk. Exploit probability data (EPSS) is not available, and the vulnerability is not catalogued in CISA\u2019s KEV list. Based on the description, the failure to control bytecode generation suggests that an attacker who can supply or modify Lua bytecode\u2014potentially through local file manipulation or networked input to the perf\u2011ninja service\u2014can trigger arbitrary code execution. No additional exploitation prerequisites are detailed, but the severity implies that any successful injection would have system\u2011wide impact."}}}}, "created": "2026-03-24T10:29:09.058502+00:00", "updated": "2026-03-25T20:40:14.409466+00:00", "vendors": ["dendibakh", "dendibakh$PRODUCT$perf-ninja"]}