CVE Catalog

CVE-2026-22208

Critical
Published: Translated: NVD NIST

Summary

OpenS100 prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua without sandboxing, exposing standard libraries from untrusted portrayal catalogs.

Risk Assessment

An attacker can provide a malicious S-100 portrayal catalog containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process. This could lead to serious security breaches within the organization.

Recommendation

It is recommended to update OpenS100 to a version that includes security patches and to restrict access to portrayal catalogs only to trusted sources.

Original NVD description (English source)

OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS