{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22208", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.186Z", "datePublished": "2026-02-17T14:29:05.423Z", "dateUpdated": "2026-03-23T15:44:10.384Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "OpenS100", "product": "OpenS100", "repo": "https://github.com/S-100ExpertTeam/OpenS100", "vendor": "OpenS100 Project", "versions": [{"lessThan": "753cf294434e8d3961f20a567c4d99151e3b530d", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hoyeon Cho, National Korea Maritime and Ocean University"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.<br>"}], "value": "OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.4, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-23T15:44:10.384Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://www.mdpi.com/1424-8220/26/4/1246"}, {"tags": ["patch"], "url": "https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access"}], "source": {"discovery": "EXTERNAL"}, "title": "OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:43:21.468091Z", "id": "CVE-2026-22208", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:43:43.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22208", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-17T14:43:21.468091Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:43:01.257Z"}}], "cna": {"title": "OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Hoyeon Cho, National Korea Maritime and Ocean University"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/S-100ExpertTeam/OpenS100", "vendor": "OpenS100 Project", "product": "OpenS100", "versions": [{"status": "affected", "version": "0", "lessThan": "753cf294434e8d3961f20a567c4d99151e3b530d", "versionType": "git"}], "packageName": "OpenS100", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mdpi.com/1424-8220/26/4/1246", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.", "supportingMedia": [{"type": "text/html", "value": "OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-23T15:44:10.384Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22208", "state": "PUBLISHED", "dateUpdated": "2026-03-23T15:44:10.384Z", "dateReserved": "2026-01-06T16:47:17.186Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-17T14:29:05.423Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart."}, {"lang": "es", "value": "OpenS100 (el visor S-100 de implementaci\u00f3n de referencia) anterior al commit 753cf29 contiene una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de un int\u00e9rprete Lua sin restricciones. El Motor de Representaci\u00f3n inicializa Lua usando luaL_openlibs() sin sandboxing ni restricciones de capacidad, exponiendo bibliotecas est\u00e1ndar como 'os' e 'io' a cat\u00e1logos de representaci\u00f3n no confiables. Un atacante puede proporcionar un cat\u00e1logo de representaci\u00f3n S-100 malicioso que contiene scripts Lua que ejecutan comandos arbitrarios con los privilegios del proceso OpenS100 cuando un usuario importa el cat\u00e1logo y carga una carta."}], "id": "CVE-2026-22208", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-17T15:16:22.320", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d"}, {"source": "disclosure@vulncheck.com", "url": "https://www.mdpi.com/1424-8220/26/4/1246"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-749"}, {"lang": "en", "value": "CWE-829"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,753cf29)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "opens100", "vendor": "opens100_project"}], "analysis": {"en": {"generated_at": "2026-04-16T17:08:23.417132+00:00", "value": {"mitigation_remediation": ["Update the OpenS100 source to the commit that disables unrestricted Lua library access (e.g., apply commit 753cf29 or later).", "Reconfigure the Portrayal Engine to launch Lua in a sandboxed environment, restricting or removing access to the 'os' and 'io' libraries, or disable the Lua interpreter entirely when processing untrusted catalogues.", "Limit catalogues to trusted sources by validating digital signatures or implementing access controls before importing them into OpenS100."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenS100 Project:OpenS100 software before the commit 753cf29. All releases built from earlier source code are vulnerable.", "description_and_impact": "OpenS100, the reference implementation of the S\u2011100 viewer, contains an unrestricted Lua interpreter that can be exploited to run arbitrary code. The engine loads the full Lua standard library with luaL_openlibs, exposing functions such as os and io to untrusted S\u2011100 portrayal catalogues. Malicious catalogues that embed Lua scripts can invoke these functions and execute commands with the privileges of the OpenS100 process when a user imports and loads a chart, thereby compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The severity score of 9.4 indicates critical risk. The estimated exploitation probability is below 1%, suggesting that attacks are currently rare, but the absence of a listing in the CISA Known Exploited Vulnerabilities catalog does not lower the potential impact for those using older builds. A likely attack vector is a malicious portrayal catalogue that a user imports or that is supplied through social engineering or compromised update channels. Successful exploitation allows an attacker to run arbitrary commands with the same privileges as the OpenS100 process."}}}}, "created": "2026-02-18T10:43:52.409546+00:00", "updated": "2026-04-16T17:15:17.988777+00:00", "vendors": ["opens100_project", "opens100_project$PRODUCT$opens100"]}