Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
CVE-2025-12121: Lite XL versions 2.1.8 and prior: Untrusted Command Execution
CVE-2025-12121
Summary
If you're using Lite XL version 2.1.8 or earlier, an attacker could potentially run any command on your system by tricking the software into executing it. This could let them access sensitive data or cause other harm. Update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| lite-xl | lite_xl |
<= 2.1.8 cpe:2.3:a:lite-xl:lite_xl:*:*:*:*:*:*:*:* |
Original title
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was use...
Original description
Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.
nvd CVSS3.1
7.3
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/lite-xl/lite-xl/pull/2163 Patch
- https://kb.cert.org/vuls/id/579478 Exploit Patch Third Party Advisory
Published: 20 Nov 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026