CVE-2026-22208
Published: 17 February 2026
Summary
CVE-2026-22208 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Mdpi (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unrestricted Lua interpreter flaw by requiring timely application of the vendor patch from commit 753cf29 that restricts access to dangerous libraries.
Controls execution of Lua scripts in untrusted S-100 portrayal catalogues by treating them as mobile code and enforcing authorization, usage restrictions, and safeguards.
Restricts the portrayal engine to least functionality by prohibiting exposure of unnecessary Lua libraries like 'os' and 'io' to untrusted inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via unsandboxed Lua interpreter in a client viewer application, directly mapping to Exploitation for Client Execution (T1203) requiring user interaction to load malicious catalogues, and facilitates abuse of Lua scripting (T1059.011) for arbitrary command execution.
NVD Description
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contain a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and…
more
'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
Deeper analysisAI
CVE-2026-22208 is a remote code execution vulnerability in OpenS100, the reference implementation S-100 viewer, affecting versions prior to commit 753cf29. The issue resides in the Portrayal Engine, which initializes the Lua interpreter using luaL_openlibs() without sandboxing or capability restrictions. This exposes standard libraries such as 'os' and 'io' to untrusted portrayal catalogues, allowing embedded Lua scripts to execute arbitrary code. The vulnerability is rated 9.6 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-749 (Exposed Dangerous Method or Function) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
A remote attacker can exploit this vulnerability by providing a malicious S-100 portrayal catalogue containing Lua scripts. Exploitation requires a user to import the catalogue and load a chart in OpenS100, triggering the scripts to execute arbitrary commands with the privileges of the OpenS100 process. No authentication is needed, though user interaction is required, enabling network-based attacks with low complexity that result in high confidentiality, integrity, and availability impacts.
Mitigation is addressed in commit 753cf29 on the OpenS100 GitHub repository (https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d), which presumably restricts Lua library access. Additional details are available in the VulnCheck advisory (https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access) and a related MDPI publication (https://www.mdpi.com/1424-8220/26/4/1246). Security practitioners should update to the patched commit and validate portrayal catalogues from untrusted sources.
Details
- CWE(s)