—
GO-2026-5738
Contour has Lua code injection via Cookie Path Rewrite Policy in github.com/projectcontour/contour
Details
Contour has Lua code injection via Cookie Path Rewrite Policy in github.com/projectcontour/contour
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/projectcontour/contour
Introduced in:
1.19.0 Fixed in: 1.31.6 Fix
go get github.com/projectcontour/contour@v1.31.6 References
- https://github.com/projectcontour/contour/security/advisories/GHSA-x4mj-7f9g-29h4 [ADVISORY]
- https://nvd.nist.gov/vuln/detail/CVE-2026-41246 [ADVISORY]
- https://github.com/projectcontour/contour/releases/tag/v1.31.6 [WEB]
- https://github.com/projectcontour/contour/releases/tag/v1.32.5 [WEB]
- https://github.com/projectcontour/contour/releases/tag/v1.33.4 [WEB]
- https://projectcontour.io/docs/1.33/config/cookie-rewriting [WEB]
- https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter [WEB]