CVE-2025-12120
- Source
- https://cve.org/CVERecord?id=CVE-2025-12120
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12120.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-12120
- Published
- 2025-11-20T17:15:48.640Z
- Modified
- 2026-03-14T12:41:21.692787Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Lite XL versions 2.1.8 and prior automatically execute the .liteproject.lua file when opening a project directory, without prompting the user for confirmation. The .liteproject.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.
- References
Affected packages
Git / github.com/lite-xl/lite-xl
Affected versions
1.*
1.06-subpixel-rc1
testing-2.*
testing-2.0.2
testing-2.0.3
testing-2.0.4
v1.*
v1.0
v1.01
v1.02
v1.03
v1.04
v1.05
v1.06
v1.07
v1.08
v1.08-subpixel
v1.09
v1.10
v1.10-lite-xl
v1.11
v1.11-lite-xl
v1.12-lite-xl
v1.13-lite-xl
v1.14-lite-xl
v1.14.1-lite-xl
v1.15-lite-xl
v1.15.1-lite-xl
v1.15.2-lite-xl
v1.15.3-lite-xl
v1.16.0-lite-xl
v1.16.1-lite-xl
v1.16.10
v1.16.11
v1.16.12
v1.16.2-lite-xl
v1.16.3-lite-xl
v1.16.4
v1.16.5
v1.16.6
v1.16.6-sdl-renderer-1
v1.16.6-sdl-renderer-2
v1.16.7
v1.16.8
v1.16.9
v1.16.9-dev-1
v2.*
v2.0-beta1
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.3-rc1
v2.1.3-rc2
v2.1.4
v2.1.4-rc1
v2.1.5
v2.1.6
v2.1.7
v2.1.8