Description
Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C.

This issue affects WickedEngine: through 0.71.727.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via buffer over-read
Action: Upgrade
AI Analysis

Impact

The vulnerability is an out-of-bounds read in the Lua parser component of WickedEngine, which can expose internal memory contents when untrusted Lua scripts are compiled. This introduces a high risk of information disclosure. Identified by CWE-125, the flaw allows attackers to read beyond the bounds of a heap buffer, potentially revealing sensitive data.

Affected Systems

The affected product is WickedEngine from turanszkij, in all releases through version 0.71.727. Lua modules that parse scripts using lparser.C are vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the near term. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to submit malicious Lua code to the engine, either locally or over a network interface exposed by the application.

Generated by OpenCVE AI on April 18, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WickedEngine to a version later than 0.71.727 to eliminate the out-of-bounds read.
  • If an upgrade cannot be performed immediately, run the engine in a sandbox or otherwise restrict the execution of untrusted Lua scripts to limit the potential impact of the over-read.
  • Implement input validation that checks the size and bounds of Lua bytecode before passing it to the parser to mitigate the risk of the buffer over-read.

Generated by OpenCVE AI on April 18, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Turanszkij
Turanszkij wickedengine
Vendors & Products Turanszkij
Turanszkij wickedengine

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727.
Title A heap-based buffer over-read that might affect a system that compiles untrusted Lua code in turanszkij/WickedEngine.
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Turanszkij Wickedengine
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T17:00:23.964Z

Reserved: 2026-01-27T08:48:56.893Z

Link: CVE-2026-24821

cve-icon Vulnrichment

Updated: 2026-01-27T17:00:19.960Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:52.797

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses