CVE-2026-40960

HIGH 8.1

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it.

CWE	CWE-670
Vendor	luanti
Product	luanti
Published	Apr 16, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for luanti luanti

Be the first to know when new high vulnerabilities affecting luanti luanti are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Luanti / Luanti

5.0.0 < 5.15.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/luanti-org/luanti/security/advisories/GHSA-22c4-238c-m5j4 github.com: https://github.com/luanti-org/luanti/commit/0faf529bc4b89e70a275ed1162047815118f2413 github.com: https://github.com/luanti-org/luanti/commit/827fd4cf7f989482b2dad381fa4afd642ea73e8c