← Back

Minetest

minetest

Vendor: Minetest • 4 CVEs

CVEs (4)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-41196
1Minetest
1Minetest
May 14, 2026
Apr 23, 2026
9.0 CRITICAL· v4
10.0 CRITICAL· v3
N/A· v2
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary co...Show more
Luanti (formerly Minetest) is an open source voxel game-creation platform. Starting in version 5.0.0 and prior to version 5.15.2, a malicious mod can trivially escape the sandboxed Lua environment to execute arbitrary code and gain full filesystem access on the user's device. This applies to the server-side mod, async and mapgen as well as the client-side (CSM) environments. This vulnerability is only exploitable when using LuaJIT. Version 5.15.2 contains a patch. On release versions, one can also patch this issue without recompiling by editing `builtin/init.lua` and adding the line `getfenv = nil` at the end. Note that this will break mods relying on this function (which is not inherently unsafe).Show less
CVE-2022-35978
1Minetest
1Minetest
Nov 21, 2024
Aug 15, 2022
N/A· v4
10.0 CRITICAL· v3
N/A· v2
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then...Show more
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.Show less
CVE-2022-24301
2Debian
Minetest
2Debian Linux
Minetest
Nov 21, 2024
Feb 2, 2022
N/A· v4
6.5 MEDIUM· v3
6.4 MEDIUM· v2
In Minetest before 5.4.0, players can add or subtract items from a different player's inventory.
CVE-2022-24300
2Debian
Minetest
2Debian Linux
Minetest
Nov 21, 2024
Feb 2, 2022
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.