CVE-2026-39866

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Lawnchair versions prior to commit fcba413f55dd47f8a3921445252849126c6266b2

Description Command injection in the 'release update.yml' workflow dispatch input allows for arbitrary code execution. This issue occurs within the workflow engine and can be triggered by an unauthenticated user.

Recommendations Update to the version containing commit fcba413f55dd47f8a3921445252849126c6266b2.

Exploit

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2026-39866

Affected Products

Lawnchair

CVE-2026-39866

Weakness Enumeration

Related Identifiers

Affected Products

References · 5