CVE-2025-12121

Name of the Vulnerable Software and Affected Versions Lite XL versions 2.1.8 and prior

Description Lite XL is a lightweight, cross-platform text editor written in Lua and C, designed for extensibility via plugins and project-specific modules. The application executes project-level Lua modules and the user configuration file directly without restrictions. A flaw exists in the system.exec function, which allows arbitrary command execution through unsanitized shell command construction. This function is utilized in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker can influence input to system.exec, they may execute arbitrary commands with the privileges of the Lite XL process.

Recommendations Versions prior to 2.1.8 should be updated. As a temporary workaround, consider disabling the system.exec function until a patch is available. Restrict access to project-level Lua modules and the user configuration file to minimize the risk of exploitation.