EUVD-2026-23151
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.
AnalysisAI
Logic error in Luanti 5 (formerly Minetest) game engine before 5.15.2 allows malicious mods to gain unauthorized access to security-restricted APIs by intercepting mod environment setup. When any mod is designated as trusted (via secure.trusted_mods or secure.http_mods), a specially crafted mod can exploit the environment initialization sequence to receive the insecure environment or HTTP API access intended only for trusted mods. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Luanti 5 installations and document current versions; identify systems running versions prior to 5.15.2. Within 7 days: Test and deploy Luanti 5.15.2 or later across development and non-production environments; review mod trust configurations and audit which mods are designated as trusted. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today