Description
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
Published: 2026-02-17
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenS100, the reference implementation of the Sā€‘100 viewer, contains a remote code execution vulnerability through an unrestricted Lua interpreter. The Portrayal Engine initializes Lua with luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as os and io to untrusted Sā€‘100 portrayal catalogues. An attacker can supply a malicious catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

Affected Systems

The vulnerability affects the OpenS100 Project:OpenS100 software before the commit 753cf29. All releases built from earlier source code are vulnerable.

Risk and Exploitability

The severity score of 9.4 indicates critical risk. The estimated exploitation probability is below 1%, suggesting that attacks are currently rare, but the absence of a listing in the CISA Known Exploited Vulnerabilities catalog does not lower the potential impact for those using older builds. A likely attack vector is a malicious portrayal catalogue that a user imports or that is supplied through social engineering or compromised update channels. Successful exploitation allows an attacker to run arbitrary commands with the same privileges as the OpenS100 process.

Generated by OpenCVE AI on May 26, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenS100 source to the commit that disables unrestricted Lua library access (e.g., apply commit 753cf29 or later).
  • Reconfigure the Portrayal Engine to launch Lua in a sandboxed environment, restricting or removing access to the 'os' and 'io' libraries, or disable the Lua interpreter entirely when processing untrusted catalogues.
  • Limit catalogues to trusted sources by validating digital signatures or implementing access controls before importing them into OpenS100.

Generated by OpenCVE AI on May 26, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart. OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Opens100 Project
Opens100 Project opens100
Vendors & Products Opens100 Project
Opens100 Project opens100

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
Title OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access
Weaknesses CWE-749
CWE-829
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Opens100 Project Opens100
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:51:57.620Z

Reserved: 2026-01-06T16:47:17.186Z

Link: CVE-2026-22208

cve-icon Vulnrichment

Updated: 2026-02-17T14:43:01.257Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T15:16:22.320

Modified: 2026-05-26T14:16:28.767

Link: CVE-2026-22208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:15:08Z

Weaknesses