Critical LuaJIT Sandbox Escape in Luanti 5
The National Vulnerability Database (NVD) has issued an advisory for CVE-2026-40959, a critical vulnerability impacting Luanti 5 versions prior to 5.15.2. This flaw specifically affects instances where LuaJIT is in use, enabling a Lua sandbox escape via a cleverly crafted mod.
Rated with a CVSS score of 9.3, this vulnerability is considered critical. A successful exploit could lead to a complete compromise of confidentiality, integrity, and availability within the affected system, as indicated by the CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The NVD attributes this to CWE-829, which points to an improper neutralization of a ‘sandbox’ or ‘jailed’ environment. This means an attacker could break out of the intended restricted execution environment, gaining broader system access than intended.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.
Web Application Exploitation Attempt — CVE-2026-40959
Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.
4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get All SIEM Formats →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40959 | Sandbox Escape | Luanti 5 before 5.15.2 |
| CVE-2026-40959 | Sandbox Escape | LuaJIT usage in Luanti 5 |
| CVE-2026-40959 | Sandbox Escape | Crafted mod in Luanti 5 |
Related Posts
MailGates/MailAudit CRLF Injection Exposes System Files
CVE-2026-6351 — MailGates/MailAudit developed by Openfind has a CRLF Injection vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read system files.
Critical MailGates Flaw Lets Attackers Run Wild
CVE-2026-6350 — MailGates/MailAudit developed by Openfind has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and execute arbitrary...
WinMatrix Agent: Local Auth Bypass to SYSTEM Privileges
CVE-2026-6348 — WinMatrix agent developed by Simopro Technology has a Missing Authentication vulnerability, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges on...