← Back

CVE-2025-12120

nvd nist
Published: Nov 20, 2025Modified: Dec 10, 2025

JSON object

Loading...
7.3
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.3 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

Affected (1)

Products: Lite Xl: Lite Xl
Lite Xl
1 product
Lite Xl
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Lite Xl
Up to 2.1.8

Related CWEs

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

Source: cret@cert.org
Issue TrackingPatch
Source: cret@cert.org
ExploitPatchThird Party Advisory

Timeline

No history available yet.