unknown

CVE-2025-27107 in the Integrated Scripting Minecraft mod allowed arbitrary code execution through unrestricted reflection access. The vulnerability stemmed from using HostAccess.ALL in the Polyglot compiler configuration, enabling attackers to execute OS commands or grant themselves admin privileges via JavaScript scripts in Variable Cards. Developers fixed it by replacing the permissive setting with a custom configuration and making reflection access disabled by default. The case demonstrates the importance of careful security configuration when integrating scripting engines and performing regular static code analysis.