{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41196", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T02:51:52.973Z", "datePublished": "2026-04-23T00:28:56.716Z", "dateUpdated": "2026-04-23T14:38:39.113Z"}, "containers": {"cna": {"title": "Luanti has a mod security sandbox escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}, {"name": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896", "tags": ["x_refsource_MISC"], "url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}], "affected": [{"vendor": "luanti-org", "product": "luanti", "versions": [{"version": ">= 5.0.0, < 5.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:28:56.716Z"}, "descriptions": [{"lang": "en", "value": "Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe)."}], "source": {"advisory": "GHSA-g596-mf82-w8c3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:38:05.758080Z", "id": "CVE-2026-41196", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:38:39.113Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41196", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T02:51:52.973Z", "datePublished": "2026-04-23T00:28:56.716Z", "dateUpdated": "2026-04-23T14:38:39.113Z"}, "containers": {"cna": {"title": "Luanti has a mod security sandbox escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}, {"name": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896", "tags": ["x_refsource_MISC"], "url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}], "affected": [{"vendor": "luanti-org", "product": "luanti", "versions": [{"version": ">= 5.0.0, < 5.15.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:28:56.716Z"}, "descriptions": [{"lang": "en", "value": "Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe)."}], "source": {"advisory": "GHSA-g596-mf82-w8c3", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T14:38:05.758080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:38:32.465Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minetest:minetest:*:*:*:*:*:*:*:*", "matchCriteriaId": "85C02E6C-1F41-4022-BDF4-6559B884A472", "versionEndExcluding": "5.15.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe)."}], "id": "CVE-2026-41196", "lastModified": "2026-05-14T16:35:18.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T02:16:17.900", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "luanti: minetest: luajit: Luanti (Minetest): Arbitrary code execution and full filesystem access via malicious mod sandbox escape", "id": "2461027", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461027"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-749", "details": ["A flaw was found in Luanti (formerly Minetest), an open-source game platform. A malicious mod, when executed within the LuaJIT environment, can bypass security restrictions designed to isolate it. This allows the mod to execute unauthorized code and gain full access to the user's device, potentially leading to a complete system compromise."], "name": "CVE-2026-41196", "public_date": "2026-04-23T00:28:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41196\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41196\nhttps://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896\nhttps://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"], "statement": "This vulnerability is only exploitable when using LuaJIT. You can use ```luanti --version``` to determine the type of Lua in use.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.15.2)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "luanti", "source": "cna", "vendor": "luanti-org"}, "product": "luanti", "vendor": "luanti"}], "analysis": {"en": {"generated_at": "2026-04-28T15:03:22.628932+00:00", "value": {"mitigation_remediation": ["Upgrade Luanti to version 5.15.2 or newer", "If upgrading is not possible, edit builtin/init.lua to add the line getfenv = nil at the end", "Remove or disable untrusted mods from the server or client"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is luanti\u2011org and the product is Luanti. All releases from version 5.0.0 up to, but not including, 5.15.2 are impacted when LuaJIT is used, on both server\u2011side and client\u2011side environments.", "description_and_impact": "Luanti, an open-source voxel game creation platform, contains a flaw that allows a malicious mod to escape the sandboxed Lua environment. The vulnerability enables arbitrary code execution and full file\u2011system access on the host. It is rooted in sandbox escape (CWE\u2011749) and executable code injection (CWE\u201194).", "risk_and_exploitability": "The CVSS score of 9 indicates a high severity flaw, yet the EPSS score is less than 1 percent and it is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. Attackers would need to deploy a malicious mod\u2014typically by uploading or installing it in a trusted directory\u2014while LuaJIT is active. Once patched, the risk is eliminated for all users of the affected versions."}}}}, "created": "2026-04-28T09:00:06.159716+00:00", "updated": "2026-04-28T15:15:34.200356+00:00", "vendors": ["luanti", "luanti$PRODUCT$luanti"]}