CVE-2026-41196: CWE-94: Improper Control of Generation of Code ('Code Injection') in luanti-org luanti
Luanti versions from 5. 0. 0 up to but not including 5. 15. 2 contain a critical code injection vulnerability (CWE-94) that allows a malicious mod to escape the sandboxed Lua environment and execute arbitrary code with full filesystem access. This affects server-side mods, async, mapgen, and client-side mod environments when LuaJIT is used. The vulnerability is patched in version 5. 15. 2. A manual mitigation is possible by editing the builtin/init.
AI Analysis
Technical Summary
Luanti (formerly Minetest) is vulnerable to a code injection flaw in versions 5.0.0 through 5.15.1 due to improper control over code generation in its Lua sandbox environment. This flaw allows malicious mods to escape sandbox restrictions and execute arbitrary code on the host system, gaining full filesystem access. The vulnerability affects multiple mod environments including server-side and client-side mods when LuaJIT is enabled. The issue is fixed in version 5.15.2. Alternatively, users can mitigate the vulnerability without recompilation by adding 'getfenv = nil' to the end of builtin/init.lua, which disables a function that enables the exploit but may break some mods.
Potential Impact
Exploitation allows arbitrary code execution with full filesystem access on the user's device, compromising system integrity and confidentiality. This can lead to complete system compromise through malicious mods. The vulnerability is critical with a CVSS 4.0 score of 9.0, indicating high attack vector and impact. No known exploits in the wild have been reported yet.
Mitigation Recommendations
A patch is available in Luanti version 5.15.2 that fixes this vulnerability. Users should upgrade to this version to fully remediate the issue. If upgrading is not immediately possible, a temporary mitigation can be applied by editing the builtin/init.lua file to add the line 'getfenv = nil' at the end, which disables the function enabling the exploit. Note that this workaround may break mods that rely on getfenv. Monitor vendor advisories for any further updates or official guidance.
CVE-2026-41196: CWE-94: Improper Control of Generation of Code ('Code Injection') in luanti-org luanti
Description
Luanti versions from 5. 0. 0 up to but not including 5. 15. 2 contain a critical code injection vulnerability (CWE-94) that allows a malicious mod to escape the sandboxed Lua environment and execute arbitrary code with full filesystem access. This affects server-side mods, async, mapgen, and client-side mod environments when LuaJIT is used. The vulnerability is patched in version 5. 15. 2. A manual mitigation is possible by editing the builtin/init.
CVSS v4.0
Score 9.0critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Luanti (formerly Minetest) is vulnerable to a code injection flaw in versions 5.0.0 through 5.15.1 due to improper control over code generation in its Lua sandbox environment. This flaw allows malicious mods to escape sandbox restrictions and execute arbitrary code on the host system, gaining full filesystem access. The vulnerability affects multiple mod environments including server-side and client-side mods when LuaJIT is enabled. The issue is fixed in version 5.15.2. Alternatively, users can mitigate the vulnerability without recompilation by adding 'getfenv = nil' to the end of builtin/init.lua, which disables a function that enables the exploit but may break some mods.
Potential Impact
Exploitation allows arbitrary code execution with full filesystem access on the user's device, compromising system integrity and confidentiality. This can lead to complete system compromise through malicious mods. The vulnerability is critical with a CVSS 4.0 score of 9.0, indicating high attack vector and impact. No known exploits in the wild have been reported yet.
Mitigation Recommendations
A patch is available in Luanti version 5.15.2 that fixes this vulnerability. Users should upgrade to this version to fully remediate the issue. If upgrading is not immediately possible, a temporary mitigation can be applied by editing the builtin/init.lua file to add the line 'getfenv = nil' at the end, which disables the function enabling the exploit. Note that this workaround may break mods that rely on getfenv. Monitor vendor advisories for any further updates or official guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T02:51:52.973Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9707c87115cfb68522134
Added to database: 4/23/2026, 1:06:04 AM
Last enriched: 4/30/2026, 8:12:27 AM
Last updated: 6/7/2026, 7:32:58 AM
Views: 123
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.