Luanti
Monthly
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.
Remote code execution in Luanti 5.0.0 through 5.15.1 allows authenticated attackers to escape the Lua sandbox via malicious mods, achieving arbitrary code execution and full filesystem access on victim devices when LuaJIT is enabled. The vulnerability affects server-side mods, async/mapgen environments, and client-side mods (CSM), requiring only low privileges to exploit. A vendor patch is available in version 5.15.2, addressing a CWE-94 code injection flaw that enables complete compromise of the host system. No active exploitation or proof-of-concept has been publicly identified at time of analysis.