{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/luanti/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-40959"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","luanti","luajit","cve-2026-40959"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40959 describes a critical vulnerability in Luanti 5, specifically in versions prior to 5.15.2, when used with LuaJIT. The vulnerability allows a malicious actor to escape the Lua sandbox environment by exploiting a crafted \u0026ldquo;mod.\u0026rdquo; This escape could lead to unauthorized access and control over the system, potentially allowing for arbitrary code execution outside of the intended sandbox. The vulnerability was reported to MITRE and assigned a CVSS v3.1 score of 9.3, indicating a critical severity. This vulnerability poses a significant threat to systems relying on Luanti for sandboxed Lua execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Lua \u0026ldquo;mod\u0026rdquo; specifically designed to exploit the sandbox escape vulnerability in Luanti.\u003c/li\u003e\n\u003cli\u003eThe malicious mod leverages weaknesses in the LuaJIT implementation within Luanti to bypass sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe crafted mod is loaded into a vulnerable Luanti 5 instance.\u003c/li\u003e\n\u003cli\u003eUpon execution of the malicious mod, the attacker gains the ability to execute arbitrary Lua code outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can then utilize this escaped context to interact with the underlying operating system.\u003c/li\u003e\n\u003cli\u003eUsing OS-level access, the attacker escalates privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistent backdoors or other malicious software.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker achieves complete system compromise, exfiltrates sensitive data, or causes other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40959 could lead to a complete compromise of systems utilizing vulnerable versions of Luanti 5 with LuaJIT. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. Given the critical CVSS score of 9.3, the potential impact is high, especially in environments where Luanti is used to sandbox untrusted Lua code. The number of potential victims depends on the adoption rate of Luanti 5 and the prevalence of LuaJIT usage within those installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Luanti to version 5.15.2 or later to patch CVE-2026-40959.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted Lua mods within Luanti environments (see process_creation rule below).\u003c/li\u003e\n\u003cli\u003eInspect Lua mods for suspicious code patterns indicative of sandbox escape attempts (develop custom rules based on the specific LuaJIT weaknesses exploited).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:16:11Z","date_published":"2026-04-16T01:16:11Z","id":"/briefs/2026-04-luanti-sandbox-escape/","summary":"Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod, potentially leading to arbitrary code execution.","title":"Luanti LuaJIT Sandbox Escape (CVE-2026-40959)","url":"https://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40960"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40960","luanti","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLuanti 5, a software package (details not provided in source), prior to version 5.15.2, suffers from an improper access control vulnerability (CVE-2026-40960). This flaw can be exploited when at least one mod is configured as either \u003ccode\u003esecure.trusted_mods\u003c/code\u003e or \u003ccode\u003esecure.http_mods\u003c/code\u003e. Under these conditions, a specially crafted malicious mod can intercept requests intended for the insecure environment or HTTP API, effectively bypassing intended security controls. The vulnerability allows the malicious mod to gain unauthorized access to sensitive resources, potentially leading to data breaches or system compromise. Organizations using affected versions of Luanti 5 are urged to upgrade to version 5.15.2 or implement mitigating controls to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Luanti 5 instance running a version prior to 5.15.2 with at least one mod configured as \u003ccode\u003esecure.trusted_mods\u003c/code\u003e or \u003ccode\u003esecure.http_mods\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious mod designed to intercept HTTP requests.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the crafted mod to the Luanti 5 environment.\u003c/li\u003e\n\u003cli\u003eThe malicious mod intercepts requests directed towards the insecure environment or HTTP API.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the malicious mod gains unauthorized access to the targeted environment or API.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to perform unauthorized actions, such as reading sensitive data or manipulating system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or establishes persistent access for future malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40960 can lead to complete compromise of the insecure environment or HTTP API within Luanti 5. This could result in unauthorized access to sensitive data, modification of system configurations, or complete system takeover. The severity of the impact depends on the specific functionality and data exposed by the insecure environment, but could include data breaches, financial loss, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Luanti 5 to version 5.15.2 or later to patch CVE-2026-40960.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, review the configuration of \u003ccode\u003esecure.trusted_mods\u003c/code\u003e and \u003ccode\u003esecure.http_mods\u003c/code\u003e and remove any untrusted or unnecessary mods.\u003c/li\u003e\n\u003cli\u003eMonitor Luanti 5 webserver logs for suspicious HTTP requests originating from unusual or newly deployed mods using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for deploying and managing Luanti 5 mods to prevent unauthorized installation of malicious modules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:16:11Z","date_published":"2026-04-16T01:16:11Z","id":"/briefs/2026-04-luanti-access/","summary":"Luanti 5 before 5.15.2 allows unintended access to an insecure environment if a crafted mod intercepts requests when secure mods are enabled, potentially leading to unauthorized access and control.","title":"Luanti 5 Improper Access Control Vulnerability (CVE-2026-40960)","url":"https://feed.craftedsignal.io/briefs/2026-04-luanti-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Luanti","version":"https://jsonfeed.org/version/1.1"}