CVE-2026-46368

Name of the Vulnerable Software and Affected Versions luci-app-https-dns-proxy versions prior to 2025.12.29-5

Description An authenticated user with the luci.https-dns-proxy ACL permission can execute arbitrary commands as root on the underlying device. This occurs through a command injection in the setInitAction() function, where shell metacharacters can be injected via the name parameter of a ubus RPC call to 'luci.https-dns-proxy setInitAction'. This issue affects the optional LuCI web UI add-on for the https-dns-proxy package distributed through the OpenWrt community packages feed; core OpenWrt is not affected.

Recommendations Update to a version later than 2025.12.29-5. As a temporary workaround, restrict access to the setInitAction() function or the name parameter in the 'luci.https-dns-proxy setInitAction' ubus RPC call.