Categories: Cyber Security News

Lite XL Text Editor Vulnerability Lets Attackers Execute Arbitrary Code

Lite XL, a lightweight text editor popular among developers, contains two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.

The flaws were disclosed on November 11, 2025, affecting all versions prior to 2.1.8.

The Vulnerabilities

The first vulnerability, identified as CVE-2025-12120, involves the automatic execution of .lite_project.lua files without user confirmation.

When users open a project directory in Lite XL, the editor automatically runs the project configuration file containing Lua code.

This creates a significant security risk: opening a malicious project can execute untrusted code with the same privileges as the text editor itself.

An attacker could distribute a compromised project repository, deceiving users into cloning it and unknowingly running malicious code.

The second flaw, CVE-2025-12121, exists in the legacy system.exec function used throughout the application.

This function constructs shell commands without proper sanitization, enabling arbitrary command execution.

The vulnerable function appears in multiple locations, including project launching, drag-and-drop file handling, and the treeview plugin.

Attackers exploiting this weakness could execute system commands with full editor privileges, potentially compromising the entire host system.

These vulnerabilities pose serious threats to developers working with untrusted codebases.

A malicious actor could inject code into open-source repositories or send crafted project files to unsuspecting users.

Once opened in Lite XL, the attack executes automatically, requiring no further user interaction beyond opening the project.

Users must update Lite XL immediately to versions incorporating security patches. The fixes include PR #1472, which implements trust guards for project modules, and PR #1473, which removes the unsafe legacy exec function entirely.

These patches prevent automatic code execution and eliminate dangerous methods for constructing shell commands.

CVE ID	Vulnerability	Type	Affected Versions	CVSS Score	Fix
CVE-2025-12120	Automatic .lite_project.lua Execution	Arbitrary Code Execution	Lite XL 2.1.8 and prior	High	PR #1472
CVE-2025-12121	Legacy system.exec Function	Arbitrary Command Execution	Lite XL 2.1.8 and prior	High	PR #1473

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Lite XL Text Editor Vulnerability Lets Attackers Execute Arbitrary Code appeared first on Cyber Security News.

Lite XL Text editor Vulnerability Let Attackers Execute Arbitrary Code

A vulnerability has been discovered in Lite XL, a lightweight text editor, that could allow attackers to execute arbitrary code on affected systems. Carnegie Mellon University experts identified CVE-2025-12120, which affects Lite XL versions 2.1.8 and earlier. The flaw exists in how Lite XL handles project configuration files. How the…

November 13, 2025

In "Cyber Security News"

Vim for Windows Vulnerability Let Attackers Execute Arbitrary Code

A critical security vulnerability has been discovered in Vim for Windows that could allow attackers to execute malicious code on users’ computers. The vulnerability, identified as CVE-2025-66476, affects Vim versions before 9.1.1947 and has been rated high severity, with a CVSS score of 7.8. The flaw lies in how Vim…

December 4, 2025

In "Cyber Security News"

Cisco Unified Contact Center Express Vulnerabilities Let Remote Attacker Execute Malicious Code

Cisco has disclosed multiple critical vulnerabilities in Unified Contact Center Express (CCX) that allow unauthenticated remote attackers to execute malicious code and escalate privileges. The vulnerabilities affect the Java Remote Method Invocation (RMI) process and authentication mechanisms, potentially compromising entire contact center deployments. RCE and Authentication Bypass Vulnerability The primary…

November 6, 2025

In "Cyber Security News"

rssfeeds-admin