The vulnerability CVE-2026-22208 affects OpenS100, an open-source reference implementation for viewing S-100 maritime charts and related geospatial data. The root cause is the initialization of the Lua interpreter via luaL_openlibs() without any sandboxing or capability restrictions. This exposes powerful standard Lua libraries such as 'os' and 'io', which provide access to operating system commands and file I/O operations. An attacker can exploit this by crafting a malicious S-100 portrayal catalogue embedded with Lua scripts that leverage these libraries to execute arbitrary commands on the host system. When a user imports this malicious catalogue and loads the chart in OpenS100, the Lua scripts run with the same privileges as the OpenS100 process, potentially leading to full system compromise. The vulnerability does not require any prior authentication but does require user interaction to import the malicious catalogue. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network attack vector, low complexity, no privileges, no authentication, user interaction required, and high impact on confidentiality, integrity, and availability with scope and security requirements all high. No patches were linked at the time of publication, and no exploits are known in the wild, but the severity and ease of exploitation make this a critical threat. The vulnerability is categorized under CWE-749 (Exposed Dangerous Method or Function) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), highlighting the risk of exposing dangerous interpreter capabilities to untrusted input. This vulnerability could be leveraged to execute arbitrary code, steal sensitive data, disrupt operations, or move laterally within a network.

For European organizations, the impact of this vulnerability is significant, especially for those involved in maritime navigation, geospatial data analysis, and related government or commercial sectors that utilize the S-100 standard and OpenS100 software. Successful exploitation could lead to remote code execution, allowing attackers to take control of affected systems, exfiltrate sensitive maritime or geospatial data, disrupt critical navigation or mapping services, and potentially impact maritime safety and security operations. The compromise of such systems could also facilitate further attacks within organizational networks, including espionage or sabotage. Given the critical CVSS score and the lack of required privileges or authentication, the threat surface is broad. Organizations relying on OpenS100 for operational decision-making or regulatory compliance face risks to confidentiality, integrity, and availability of their data and systems. The requirement for user interaction (importing a malicious catalogue) means social engineering or phishing campaigns could be used to deliver the exploit. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for mitigation.

1. Apply patches or updates from the OpenS100 project as soon as they become available that address this vulnerability by sandboxing or restricting Lua interpreter capabilities. 2. Until patches are available, disable or restrict the import of untrusted S-100 portrayal catalogues, especially from external or unknown sources. 3. Implement strict validation and sanitization of all imported portrayal catalogues to detect and block embedded Lua scripts or suspicious content. 4. Employ application-level sandboxing or containerization to isolate OpenS100 processes, limiting the potential impact of code execution. 5. Educate users on the risks of importing unverified catalogues and implement policies to minimize user interaction with untrusted files. 6. Monitor network and host systems for unusual behavior indicative of exploitation attempts, such as unexpected command executions or file system changes. 7. Use endpoint protection solutions capable of detecting and blocking malicious Lua script execution or anomalous process behavior. 8. Consider network segmentation to isolate systems running OpenS100 from critical infrastructure and sensitive data repositories. 9. Engage with the OpenS100 community or vendor for guidance and early access to security updates.