Sandbox Escape Vulnerability in Luanti Product by Luanti Org
CVE-2026-40959

9.3CRITICAL

Key Information:

Vendor: Luanti
Status: Luanti
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-40959?

A significant vulnerability has been identified in Luanti versions prior to 5.15.2, allowing unauthorized access beyond the designated Lua sandbox when LuaJIT is being used. This exploitation is facilitated through the manipulation of crafted modules, creating potential security risks for applications utilizing this product. It is essential for users of affected versions to update to the latest release to mitigate the risks associated with this vulnerability.

Affected Version(s)

Luanti 5.0.0 < 5.15.2

References

https://github.com/luanti-org/luanti/security/advisories/...

https://github.com/luanti-org/luanti/commit/8a929dfb97aa0...

https://github.com/luanti-org/luanti/commit/53cef183e2a85...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40959 Data

JSON