CVE-2026-46368
Severity CVSS v4.0:
HIGH
Type:
CWE-77
Command Injection
Publication date:
26/05/2026
Last modified:
26/05/2026
Description
luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.
Impact
Base Score 4.0
8.70
Severity 4.0
HIGH
Base Score 3.x
8.80
Severity 3.x
HIGH



