CVE-2026-41196

Name of the Vulnerable Software and Affected Versions Luanti versions 5.0.0 through 5.15.1

Description A malicious mod can escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This issue affects server-side mods, async, mapgen, and client-side (CSM) environments, and is only exploitable when using LuaJIT (a Just-In-Time compiler for the Lua programming language).

Recommendations Update to version 5.15.2. As a temporary workaround for release versions, edit builtin/init.lua and add the line getfenv = nil at the end, though this may break mods relying on the getfenv() function.