CVE-2026-22208
CriticalSummary
OpenS100 prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua without sandboxing, exposing standard libraries from untrusted portrayal catalogs.
Risk Assessment
An attacker can provide a malicious S-100 portrayal catalog containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process. This could lead to serious security breaches within the organization.
Recommendation
It is recommended to update OpenS100 to a version that includes security patches and to restrict access to portrayal catalogs only to trusted sources.
Original NVD description (English source)
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

