Primary

Context

Lite XL Arbitrary Command Execution Vulnerability

Vulnerability

A vulnerability allowing arbitrary command execution has been identified in Lite XL versions through 2.1.8. This issue arises from the system.exec function, which constructed shell commands unsafely, enabling execution of commands with the privileges of the Lite XL process. The vulnerability was present in project directory launching, drag-and-drop file handling, and the 'open in system' command of the treeview plugin.

Impact

Exploitation of this vulnerability allowed for arbitrary shell command execution, which could be used to compromise the host system.

Remediation

Users are advised to update to the latest version of Lite XL that includes the removal of the legacy exec function. This update ensures that unsafe system calls are no longer available.

Added: Nov 20, 2025, 5:23 PM

Updated: Nov 20, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lite XL Arbitrary Command Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating