Cyber Resilience

CVE-2026-24821

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber
EPSS Score 0.0034 25.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24821 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Lua (T1059.011); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.011 Lua Execution
Adversaries may abuse Lua commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

OOB read in Lua parser enables malicious Lua script execution leading to client-side exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References