Description
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
Published: 2026-02-17
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

OpenS100, the reference implementation of the Sā€‘100 viewer, contains an unrestricted Lua interpreter that can be exploited to run arbitrary code. The engine loads the full Lua standard library with luaL_openlibs, exposing functions such as os and io to untrusted Sā€‘100 portrayal catalogues. Malicious catalogues that embed Lua scripts can invoke these functions and execute commands with the privileges of the OpenS100 process when a user imports and loads a chart, thereby compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability affects the OpenS100 Project:OpenS100 software before the commit 753cf29. All releases built from earlier source code are vulnerable.

Risk and Exploitability

The severity score of 9.4 indicates critical risk. The estimated exploitation probability is below 1%, suggesting that attacks are currently rare, but the absence of a listing in the CISA Known Exploited Vulnerabilities catalog does not lower the potential impact for those using older builds. A likely attack vector is a malicious portrayal catalogue that a user imports or that is supplied through social engineering or compromised update channels. Successful exploitation allows an attacker to run arbitrary commands with the same privileges as the OpenS100 process.

Generated by OpenCVE AI on April 16, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenS100 source to the commit that disables unrestricted Lua library access (e.g., apply commit 753cf29 or later).
  • Reconfigure the Portrayal Engine to launch Lua in a sandboxed environment, restricting or removing access to the 'os' and 'io' libraries, or disable the Lua interpreter entirely when processing untrusted catalogues.
  • Limit catalogues to trusted sources by validating digital signatures or implementing access controls before importing them into OpenS100.

Generated by OpenCVE AI on April 16, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Opens100 Project
Opens100 Project opens100
Vendors & Products Opens100 Project
Opens100 Project opens100

Tue, 17 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
Title OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access
Weaknesses CWE-749
CWE-829
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Opens100 Project Opens100
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:10.384Z

Reserved: 2026-01-06T16:47:17.186Z

Link: CVE-2026-22208

cve-icon Vulnrichment

Updated: 2026-02-17T14:43:01.257Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T15:16:22.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses