CVE-2025-12121

Published: Nov 20, 2025

Modified: Nov 20, 2025

PUBLISHED

Description

Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

Vendor	Product	Versions
Lite XL	Lite XL	affected `2.1.8 and earlier`

References

https://github.com/lite-xl/lite-xl/pull/2163

https://kb.cert.org/vuls/id/579478

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-12121

Description

Affected Products

References