{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-40959", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-16T00:51:19.133Z", "datePublished": "2026-04-16T00:51:19.520Z", "dateUpdated": "2026-04-16T12:32:04.767Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Luanti", "vendor": "Luanti", "versions": [{"lessThan": "5.15.2", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T01:20:05.802Z"}, "references": [{"url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}, {"url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}, {"url": "https://github.com/luanti-org/luanti/commit/53cef183e2a85a4daff84ac1a9a7946f940da8f8"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:22:22.799310Z", "id": "CVE-2026-40959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:32:04.767Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T12:22:22.799310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:22:24.129Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "LOCAL", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Luanti", "product": "Luanti", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.15.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}, {"url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}, {"url": "https://github.com/luanti-org/luanti/commit/53cef183e2a85a4daff84ac1a9a7946f940da8f8"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T01:20:05.802Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40959", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:32:04.767Z", "dateReserved": "2026-04-16T00:51:19.133Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T00:51:19.520Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod."}], "id": "CVE-2026-40959", "lastModified": "2026-04-16T01:16:11.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-16T01:16:11.617", "references": [{"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/commit/53cef183e2a85a4daff84ac1a9a7946f940da8f8"}, {"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/commit/8a929dfb97aa08337f49ba1bb96a56d6557dc896"}, {"source": "cve@mitre.org", "url": "https://github.com/luanti-org/luanti/security/advisories/GHSA-g596-mf82-w8c3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.15.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Luanti", "source": "cna", "vendor": "Luanti"}, "product": "luanti", "vendor": "luanti"}], "analysis": {"en": {"generated_at": "2026-04-16T09:03:14.358935+00:00", "value": {"mitigation_remediation": ["Upgrade Luanti to version 5.15.2 or newer, which resolves the sandbox escape.", "Disable LuaJIT functionality in Luanti unless required for legitimate workarounds.", "Restrict mod installation to verified, trusted sources and audit mod code before deployment."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Luanti is impacted in all versions prior to 5.15.2. Users running Luanti 5.x with LuaJIT enabled are at risk.\n", "description_and_impact": "A crafted mod that exploits LuaJIT in Luanti allows a sandbox escape, giving an attacker the ability to execute arbitrary Lua code outside the intended safe environment. This flaw maps to CWE-829, exposing the application to excessive privilege gain during mod loading.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.3, indicating critical severity, and is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data is unavailable, but the lack of mitigation in the community suggests the risk remains high. The likely attack vector is the deployment of a crafted mod in environments where LuaJIT is enabled; this inference is based on the description of a sandbox escape via a crafted module."}}}}, "created": "2026-04-16T09:12:07.667384+00:00", "title": "Lua sandbox escape via crafted module in Luanti using LuaJIT", "updated": "2026-04-16T09:15:30.976081+00:00", "vendors": ["luanti", "luanti$PRODUCT$luanti"]}