CVE-2026-22208

Name of the Vulnerable Software and Affected Versions OpenS100 versions prior to commit 753cf29

Description The software contains a remote code execution issue due to an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL openlibs() without sandboxing or capability restrictions, exposing standard libraries like os and io to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart. The vulnerable component is the Lua interpreter within the Portrayal Engine.

Recommendations Versions prior to commit 753cf29 should be updated to commit 753cf29 or later.