Primary

Context

Lite XL Arbitrary Code Execution Vulnerability via Project Module

Vulnerability

A vulnerability in Lite XL text editor versions through 2.1.8 allows for arbitrary code execution. When a project directory is opened, the editor automatically executes the .lite_project.lua file without user confirmation. This file can contain executable Lua code, potentially leading to the execution of untrusted code with the same privileges as the Lite XL process. The vulnerability could be exploited by opening a malicious project.

Impact

The vulnerability could be exploited to execute arbitrary Lua code from a malicious project, with the same privileges as the Lite XL process.

Remediation

Users should update to the latest version of Lite XL that includes the trust guard for project modules. This update ensures that untrusted projects cannot automatically execute Lua code. Instructions for updating can be found on the Lite XL GitHub repository.

Added: Nov 20, 2025, 5:23 PM

Updated: Nov 20, 2025, 7:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lite XL Arbitrary Code Execution Vulnerability via Project Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating