Skip to main content

Suse EUVDEUVD-2026-23151

| CVE-2026-40960 HIGH
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-16 mitre
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.15.2
Analysis Updated
Apr 16, 2026 - 01:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:38 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 01:19 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 01:15 euvd
EUVD-2026-23151
Analysis Generated
Apr 16, 2026 - 01:15 vuln.today
CVE Published
Apr 16, 2026 - 00:54 nvd
HIGH 8.1

DescriptionCVE.org

Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.

AnalysisAI

Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local file access
Delivery
Deploy malicious mod with interception hooks
Exploit
Trigger server mod reload
Execution
Intercept trusted mod environment during initialization
Persist
Execute code with unrestricted API access
Impact
Exfiltrate data or establish persistence

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions: (1) at least one mod must be explicitly listed in the server's secure.trusted_mods or secure.http_mods configuration settings, which creates the privileged environment that can be intercepted, and (2) the attacker must have local file system write access to install a malicious mod into the Luanti mods directory before server startup or during mod reload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk depends heavily on deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access to a Luanti multiplayer server creates a malicious mod with carefully chosen initialization hooks and naming to execute during the mod loading phase. When the server administrator has configured legitimate mods in secure.trusted_mods to enable HTTP API access for content updates, the malicious mod intercepts the environment assignment. …
Remediation Upgrade to Luanti 5.15.2 or later, which contains fixes in commits 0faf529bc4b89e70a275ed1162047815118f2413 and 827fd4cf7f989482b2dad381fa4afd642ea73e8c that correct the mod environment initialization logic. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Luanti 5 installations and document current versions; identify systems running versions prior to 5.15.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-23151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy