CVE-2026-22208
Published: 17 February 2026
Summary
CVE-2026-22208 is a critical-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Mdpi (inferred from references). Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 44.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-18 (Mobile Code).
Deeper analysis
CVE-2026-22208 is a remote code execution vulnerability in OpenS100, the reference implementation S-100 viewer, affecting versions prior to commit 753cf29. The issue resides in the Portrayal Engine, which initializes the Lua interpreter using luaL_openlibs() without sandboxing or capability restrictions. This exposes standard libraries such as 'os' and 'io' to untrusted portrayal catalogues, allowing embedded Lua scripts to execute arbitrary code. The vulnerability is rated 9.6 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-749 (Exposed Dangerous Method or Function) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
A remote attacker can exploit this vulnerability by providing a malicious S-100 portrayal catalogue containing Lua scripts. Exploitation requires a user to import the catalogue and load a chart in OpenS100, triggering the scripts to execute arbitrary commands with the privileges of the OpenS100 process. No authentication is needed, though user interaction is required, enabling network-based attacks with low complexity that result in high confidentiality, integrity, and availability impacts.
Mitigation is addressed in commit 753cf29 on the OpenS100 GitHub repository (https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d), which presumably restricts Lua library access. Additional details are available in the VulnCheck advisory (https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access) and a related MDPI publication (https://www.mdpi.com/1424-8220/26/4/1246). Security practitioners should update to the patched commit and validate portrayal catalogues from untrusted sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7835
Vulnerability details
OpenS100 (the reference implementation S-100 viewer) prior to commit 753cf29 contains a remote code execution vulnerability via an unrestricted Lua interpreter. The Portrayal Engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries such as 'os' and…
more
'io' to untrusted portrayal catalogues. An attacker can provide a malicious S-100 portrayal catalogue containing Lua scripts that execute arbitrary commands with the privileges of the OpenS100 process when a user imports the catalogue and loads a chart.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via unsandboxed Lua interpreter in a client viewer application, directly mapping to Exploitation for Client Execution (T1203) requiring user interaction to load malicious catalogues, and facilitates abuse of Lua scripting (T1059.011) for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires disabling or restricting unnecessary Lua libraries (os, io) exposed by luaL_openlibs() to untrusted catalogues.
Requires control of mobile code execution, preventing unrestricted Lua scripts from untrusted S-100 portrayal catalogues.
Mandates validation of input data (portrayal catalogues) before Lua interpreter processes potentially malicious scripts.