Skip to main content

CVE-2026-22208

CRITICAL
Exposed Dangerous Method or Function (CWE-749)
2026-02-17 disclosure@vulncheck.com
9.4
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 26, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
May 26, 2026 - 14:22 NVD
9.6 (CRITICAL) 9.4 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 17, 2026 - 15:16 nvd
CRITICAL 9.6

DescriptionCVE.org

OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.

AnalysisAI

Remote code execution in OpenS100 (S-100 viewer reference implementation) prior to commit 753cf29. Malicious S-100 dataset files can trigger code execution when opened. CVSS 9.6.

Technical ContextAI

CWE-749 exposed dangerous method or function. The S-100 viewer processes dataset files in a way that allows code execution through crafted input.

Affected ProductsAI

OpenS100 prior to commit 753cf29

RemediationAI

Update to OpenS100 commit 753cf29 or later. Validate S-100 dataset files before opening.

Share

CVE-2026-22208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy