Hoyeon Cho

**Name of the Vulnerable Software and Affected Versions** OpenS100 versions prior to commit 753cf29 **Description** The software contains a remote code execution issue due to an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using `luaL openlibs()` without sandboxing or capability restrictions, exposing standard libraries like `os` and `io` to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart. The vulnerable component is the Lua interpreter within the Portrayal Engine. **Recommendations** Versions prior to commit 753cf29 should be updated to commit 753cf29 or later.