CVE-2026-41196

EUVD-2026-25154

23.04.2026, 02:16

Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

luanti

forky	vulnerable
sid	5.15.2+dfsg-1 fixed
trixie	vulnerable
trixie (security)	5.10.0+dfsg-5+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

luanti

jammy	dne
noble	dne
questing	needs-triage
resolute	needs-triage

minetest

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
questing	dne
resolute	dne
xenial	needs-triage

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896

https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3