VDB

CVE-2025-12121

CVE-2025-12121 PUBLISHED CVSS 7.300000190734863 HIGH

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

EPSS 0.02% · 7.1th percentile

Risk Scores

CVSS v3.1
7.300000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.02%
7.1th percentile

Affected Products

VendorProductVersions
Lite XLLite XL*
lite-xllite_xl0

Timeline

  • Oct 23, 2025 CVE ID Reserved
  • Nov 11, 2025 PoC Published
  • Nov 13, 2025 PoC Published
  • Nov 19, 2025 PoC Published
  • Nov 20, 2025 Coalition ESS Score
  • Nov 20, 2025 PoC Published
  • Nov 20, 2025 PoC Published
  • Nov 20, 2025 CVE Published
  • Nov 20, 2025 CVE Updated
  • Nov 20, 2025 PoC Published
  • Nov 21, 2025 EPSS Score
  • Nov 24, 2025 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›