CVE-2025-12120

Published: Nov 20, 2025

Modified: Nov 20, 2025

PUBLISHED

Description

Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

Vendor	Product	Versions
Lite XL	Lite XL	affected `2.1.8 and earlier`

References

https://github.com/lite-xl/lite-xl/pull/2164

https://kb.cert.org/vuls/id/579478

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-12120

Description

Affected Products

References