Vulnerability Details CVE-2026-41196
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 29.1%
CVSS Severity
CVSS v3 Score 10.0
References
Products affected by CVE-2026-41196
-
cpe:2.3:a:minetest:minetest:5.0.0
-
cpe:2.3:a:minetest:minetest:5.0.1
-
cpe:2.3:a:minetest:minetest:5.1.0
-
cpe:2.3:a:minetest:minetest:5.1.1
-
cpe:2.3:a:minetest:minetest:5.10.0
-
cpe:2.3:a:minetest:minetest:5.11.0
-
cpe:2.3:a:minetest:minetest:5.12.0
-
cpe:2.3:a:minetest:minetest:5.13.0
-
cpe:2.3:a:minetest:minetest:5.14.0
-
cpe:2.3:a:minetest:minetest:5.15.0
-
cpe:2.3:a:minetest:minetest:5.15.1
-
cpe:2.3:a:minetest:minetest:5.2.0
-
cpe:2.3:a:minetest:minetest:5.3.0
-
cpe:2.3:a:minetest:minetest:5.4.0
-
cpe:2.3:a:minetest:minetest:5.4.1
-
cpe:2.3:a:minetest:minetest:5.5.0
-
cpe:2.3:a:minetest:minetest:5.5.1
-
cpe:2.3:a:minetest:minetest:5.6.0
-
cpe:2.3:a:minetest:minetest:5.6.1
-
cpe:2.3:a:minetest:minetest:5.7.0
-
cpe:2.3:a:minetest:minetest:5.8.0
-
cpe:2.3:a:minetest:minetest:5.9.0
-
cpe:2.3:a:minetest:minetest:5.9.1