CVE-2026-22208

CVE-2026-22208 is a remote code execution vulnerability in OpenS100, the reference implementation S-100 viewer, affecting versions prior to commit 753cf29. The issue resides in the Portrayal Engine, which initializes the Lua interpreter using luaL_openlibs() without sandboxing or capability restrictions. This exposes standard libraries such as 'os' and 'io' to untrusted portrayal catalogues, allowing embedded Lua scripts to execute arbitrary code. The vulnerability is rated 9.6 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-749 (Exposed Dangerous Method or Function) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

A remote attacker can exploit this vulnerability by providing a malicious S-100 portrayal catalogue containing Lua scripts. Exploitation requires a user to import the catalogue and load a chart in OpenS100, triggering the scripts to execute arbitrary commands with the privileges of the OpenS100 process. No authentication is needed, though user interaction is required, enabling network-based attacks with low complexity that result in high confidentiality, integrity, and availability impacts.

Mitigation is addressed in commit 753cf29 on the OpenS100 GitHub repository (https://github.com/S-100ExpertTeam/OpenS100/commit/753cf294434e8d3961f20a567c4d99151e3b530d), which presumably restricts Lua library access. Additional details are available in the VulnCheck advisory (https://www.vulncheck.com/advisories/opens100-portrayal-engine-unrestricted-lua-standard-library-access) and a related MDPI publication (https://www.mdpi.com/1424-8220/26/4/1246). Security practitioners should update to the patched commit and validate portrayal catalogues from untrusted sources.