Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Valkey Database: Malicious Scripting Can Corrupt Data
CVE-2025-67733
Summary
Old versions of Valkey can let a malicious user inject fake data into the database, which can mess up or fake information for other users on the same connection. This has been fixed in updated versions. To stay safe, make sure to update to version 9.0.2 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lfprojects | valkey | <= 7.2.12 | – |
| lfprojects | valkey | > 8.0.0 , <= 8.0.7 | – |
| lfprojects | valkey | > 8.1.0 , <= 8.1.6 | – |
| lfprojects | valkey | > 9.0.0 , <= 9.0.2 | – |
Original title
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream f...
Original description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue.
nvd CVSS3.1
7.1
Vulnerability type
CWE-74
Injection
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026