Lucene search
K

29 matches found

ATTACKERKB
ATTACKERKB
added 3 days ago7 views

CVE-2026-58652

luci-app-travelmate and the travelmate package contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to...

7.7CVSS6.1AI score0.00482EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 3 days ago35 views

CVE-2026-58652 luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter

luci-app-travelmate and the travelmate package contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to...

7.7CVSS0.00482EPSS
Exploits0References7
CVE
CVE
added 3 days ago12 views

CVE-2026-58652

The issue affects luci-app-travelmate and the travelmate package. A LuCI/rpcd session with the luci-app-travelmate write ACL gains config-wide UCI write access to the travelmate configuration, and the backend travelmate service (running as root) reads raw UCI values for script and script_args and...

7.7CVSS6.1AI score0.00482EPSS
Exploits0References7
NVD
NVD
added 6 days ago8 views

CVE-2026-57999

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.dologin RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserverauthkey parameters are improperly quoted...

8.8CVSS0.01179EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-57999

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.dologin RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserverauthkey parameters are improperly quoted...

8.8CVSS6AI score0.01179EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-57999 luci-app-tailscale-community - Command Injection via tailscale.do_login RPC

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.dologin RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserverauthkey parameters are improperly quoted...

8.8CVSS0.01179EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 6 days ago5 views

CVE-2026-57999 luci-app-tailscale-community - Command Injection via tailscale.do_login RPC

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.dologin RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserverauthkey parameters are improperly quoted...

8.8CVSS6AI score0.01179EPSS
Exploits0References2
CVE
CVE
added 6 days ago24 views

CVE-2026-57999

CVE-2026-57999 affects luci-app-tailscale-community. The vulnerability is a command injection in the tailscale.do_login RPC method caused by improper quoting of user-controlled loginserver and loginserver_authkey inside a double-quoted shell command, allowing shell substitutions (e.g., $()) to be...

8.8CVSS6AI score0.01179EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago8 views

PT-2026-53682

Name of the Vulnerable Software and Affected Versions luci-app-tailscale-community affected versions not specified Description An issue in the tailscale.do login RPC method allows authenticated users to execute arbitrary commands with root privileges. This occurs because the loginserver and...

8.8CVSS6.1AI score0.01179EPSS
Exploits0References5
NVD
NVD
added 2026/05/26 3:16 p.m.17 views

CVE-2026-46368

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS0.02671EPSS
Exploits0References3
CVE
CVE
added 2026/05/26 2:8 p.m.45 views

CVE-2026-46368

CVE-2026-46368 affects the OpenWrt luci-app-https-dns-proxy package (not Core OpenWrt). The vulnerability is a command injection in setInitAction via a ubus RPC call; an authenticated user with the luci.https-dns-proxy ACL can inject shell metacharacters through the 'name' parameter, enabling arb...

8.8CVSS6.1AI score0.02671EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/26 2:8 p.m.38 views

CVE-2026-46368 luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS0.02671EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/26 2:8 p.m.10 views

CVE-2026-46368 luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS6.1AI score0.02671EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/26 2:8 p.m.10 views

CVE-2026-46368

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS6.1AI score0.02671EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/26 2:8 p.m.13 views

EUVD-2026-31836

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS6.1AI score0.02671EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.21 views

PT-2026-43259

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user...

8.8CVSS6.1AI score0.02671EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/09 9:33 a.m.8 views

CVE-2024-39208

luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials...

9.8CVSS7.4AI score0.00581EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:27 a.m.6 views

CVE-2024-39209

luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter...

6.3CVSS8AI score0.00953EPSS
Exploits0References1
NVD
NVD
added 2024/06/27 9:15 p.m.23 views

CVE-2024-39209

luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter...

6.3CVSS0.00953EPSS
Exploits0References2
NVD
NVD
added 2024/06/27 8:15 p.m.15 views

CVE-2024-39208

luci-app-lucky v2.8.3 was discovered to contain hardcoded credentials...

9.8CVSS0.00581EPSS
Exploits0References2
Rows per page
Query Builder