Home

Description

OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

PUBLISHED Reserved 2026-01-06 | Published 2026-02-17 | Updated 2026-02-17 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-749 Exposed Dangerous Method or Function

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Product status

Default status
unaffected

Any version before commit 753cf29
affected

Credits

Hoyeon Cho, National Korea Maritime and Ocean University finder

References

www.mdpi.com/1424-8220/26/4/1246 technical-description exploit

github.com/...ommit/753cf294434e8d3961f20a567c4d99151e3b530d patch

www.vulncheck.com/...nrestricted-lua-standard-library-access third-party-advisory

cve.org (CVE-2026-22208)

nvd.nist.gov (CVE-2026-22208)

Download JSON