216.73.216.6

CVE-2026-22208

· Published 17/02/2026 15:16 · Modified 18/02/2026 17:52

Labels: CVE-2026-22208 2026-02-17CVE-2026-22208CWE-749[email protected]

Essential information

Published
17/02/2026 15:16
Modified
18/02/2026 17:52
Author
Creator
CVSS
9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
opens100 / opens100 cpe:2.3:a:opens100:opens100:<753cf29:*:*:*:*:*:*:*

References