Minetest: >> Minetest Security Vulnerabilities
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).
CVSS Score
9.0
EPSS Score
0.004
Published
2026-04-23
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.
CVSS Score
7.7
EPSS Score
0.022
Published
2022-08-15
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.
CVSS Score
9.8
EPSS Score
0.016
Published
2022-02-02
In Minetest before 5.4.0, players can add or subtract items from a different player's inventory.
CVSS Score
6.5
EPSS Score
0.01
Published
2022-02-02