CRITICAL
OpenS100 Project
CVE published 2026-02-17
CVE-2026-22208
OpenS100, the reference implementation S-100 viewer, contains a critical remote code execution vulnerability in its Portrayal Engine prior to commit 753cf29. The engine initializes Lua using luaL_openlibs() without sandboxing or capability restrictions, exposing standard libraries including 'os' and 'io' to untrusted portrayal catalogues. An attacker can craft a malicious S-100 portrayal catalogue contain [truncated]