{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83650?format=json","vulnerability_id":"VCID-pg59-z6fq-h3gs","summary":"OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and 'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.","aliases":[{"alias":"CVE-2026-22208"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://www.mdpi.com/1424-8220/26/4/1246","reference_id":"1246","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-17T14:43:21Z/"}],"url":"https://www.mdpi.com/1424-8220/26/4/1246"},{"reference_url":"https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d","reference_id":"753cf294434e8d3961f20a567c4d99151e3b530d","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-17T14:43:21Z/"}],"url":"https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d"},{"reference_url":"https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access","reference_id":"opens100-portrayal-engine-unrestricted-lua-standard-library-access","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-17T14:43:21Z/"}],"url":"https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access"}],"weaknesses":[{"cwe_id":749,"name":"Exposed Dangerous Method or Function","description":"The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted."},{"cwe_id":829,"name":"Inclusion of Functionality from Untrusted Control Sphere","description":"The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere."}],"exploits":[],"severity_range_score":"9.4 - 9.6","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pg59-z6fq-h3gs"}