CVE-2026-47206

UNKNOWN 0.0

Dragonfly: RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing response desynchronization in connection-pool clients. This vulnerability is fixed in 1.39.9.

CWE	CWE-116
Vendor	dragonflydb
Product	dragonfly
Published	Jun 26, 2026
Last Updated	Jun 26, 2026

Stay Ahead of the Next One

Get instant alerts for dragonflydb dragonfly

Be the first to know when new unknown vulnerabilities affecting dragonflydb dragonfly are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

dragonflydb / dragonfly

< 1.38.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dragonflydb/dragonfly/security/advisories/GHSA-h77h-c6hc-qc9h github.com: https://github.com/dragonflydb/dragonfly/issues/7328 github.com: https://github.com/dragonflydb/dragonfly/pull/7332