Godot - 5 CVEs (Page 1/1)

About “Godot”

A curated feed of “Godot”-related CVEs appears below. We currently track 5 CVEs for this tag (all time). In the last 365 days, 1 were published. Average CVSS is 8.1 (all time; 7.8 over 365d), and 100% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

In our taxonomy this topic maps to a LOW impact class. Game engines and tooling can ship inside applications. Patch engines, pin dependencies, sandbox editor plugins, and validate assets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: godot

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL	LTS
4.6	2026-01-26	4.6.3	Unavailable	-
4.5	2025-09-15	4.5.2	2026-03-19	-
4.4	2025-03-03	4.4.1	2025-10-23	2026-03-26 Expired
3.6	2024-09-08	3.6.2	Unavailable	-	LTS
4.3	2024-08-15	4.3	2025-10-09	2025-10-23 Expired
4.2	2023-11-29	4.2.2	2025-03-03	2025-10-09 Expired
4.1	2023-07-05	4.1.4	2025-03-03	2025-03-03 Expired
4.0	2023-03-01	4.0.4	2023-03-01	2023-11-29 Expired
3.5	2022-08-05	3.5.3	2022-08-05	2025-10-23 Expired	LTS
3.4	2021-11-05	3.4.5	2022-08-05	2022-08-05 Expired
3.3	2021-04-21	3.3.4	2021-11-05	2021-11-05 Expired
3.2	2020-01-29	3.2.3	2021-04-21	2021-04-21 Expired
3.1	2019-03-13	3.1.2	2020-01-29	2020-01-29 Expired
3.0	2018-01-29	3.0.6	Unavailable	- Expired
2.1	2016-08-09	2.1.6	Unavailable	- Expired	LTS
2.0	2016-02-22	2.0.4.1	Unavailable	- Expired
1.0	2014-12-15	1.0	Unavailable	- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Godot” · RSS (High+Critical only)

2026-02-04

High

CVE-2026-25546

Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The…

CVSS: 7.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD

2021-02-08

High

CVE-2021-26826

A stack overflow issue exists in Godot Engine up to v3.2 and is caused by improper boundary checks when loading .TGA image files. Depending on the context of the application, attack vector can be loc…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD

High

CVE-2021-26825

An integer overflow issue exists in Godot Engine up to v3.2 that can be triggered when loading specially crafted.TGA image files. The vulnerability exists in ImageLoaderTGA::load_image() function at…

CVSS: 7.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD

2019-05-31

Critical

CVE-2019-10069

In Godot through 3.1, remote code execution is possible due to the deserialization policy not being applied correctly.

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD

2018-08-20

High

CVE-2018-1000224

Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization v…

CVSS: 7.5 CWE: CWE-131 - Incorrect Calculation of Buffer Size View on NVD