CVE-2026-46368

216.73.217.22

· Published 26/05/2026 15:16 · Modified 26/05/2026 19:50

Labels: CVE-2026-46368 2026-05-26 CVE-2026-46368 CWE-77 [email protected]

Essential information

Published: 26/05/2026 15:16
Modified: 26/05/2026 19:50
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
openwrt / luci-app-https-dns-proxy	`cpe:2.3:a:openwrt:luci-app-https-dns-proxy:2025.12.29-5:::::::*`