Primary

Context

Luanti Arbitrary Code Execution Vulnerability via Sandbox Escape

Vulnerability

A vulnerability in Luanti (formerly Minetest) versions 5.0.0 prior to 5.15.2 allows a malicious mod to escape the sandboxed Lua environment, execute arbitrary code, and gain full filesystem access on the user's device. This issue affects server-side mods, async and mapgen, as well as the client-side (CSM) environments. The vulnerability is only exploitable when using LuaJIT.

Impact

Exploitation of this vulnerability allows for arbitrary code execution and unauthorized access to the user's filesystem.

Remediation

Users can upgrade to Luanti version 5.15.2 or newer. Alternatively, on release versions, the issue can be patched without recompiling by adding the line 'getfenv = nil' to 'builtin/init.lua'. However, this workaround may disrupt mods that depend on the 'getfenv' function.

Added: Apr 23, 2026, 2:28 AM

Updated: Apr 23, 2026, 2:28 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.5

remediation

0.0

relevance

6.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Luanti Arbitrary Code Execution Vulnerability via Sandbox Escape

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating