Description
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
Published: 2026-04-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A crafted mod that exploits LuaJIT in Luanti allows a sandbox escape, giving an attacker the ability to execute arbitrary Lua code outside the intended safe environment. This flaw maps to CWE-829, exposing the application to excessive privilege gain during mod loading.

Affected Systems

Luanti is impacted in all versions prior to 5.15.2. Users running Luanti 5.x with LuaJIT enabled are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity, and is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is unavailable, but the lack of mitigation in the community suggests the risk remains high. The likely attack vector is the deployment of a crafted mod in environments where LuaJIT is enabled; this inference is based on the description of a sandbox escape via a crafted module.

Generated by OpenCVE AI on April 16, 2026 at 09:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Luanti to version 5.15.2 or newer, which resolves the sandbox escape.
  • Disable LuaJIT functionality in Luanti unless required for legitimate workarounds.
  • Restrict mod installation to verified, trusted sources and audit mod code before deployment.

Generated by OpenCVE AI on April 16, 2026 at 09:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6217-1 luanti security update
History

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Title Lua sandbox escape via crafted module in Luanti using LuaJIT
First Time appeared Luanti
Luanti luanti
Vendors & Products Luanti
Luanti luanti

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Description Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Luanti Luanti
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T12:32:04.767Z

Reserved: 2026-04-16T00:51:19.133Z

Link: CVE-2026-40959

cve-icon Vulnrichment

Updated: 2026-04-16T12:22:24.129Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T01:16:11.617

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses