CVE-2026-46368
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-77
Neutralización incorrecta de elementos especiales usados en un comando (Inyección de comando)
Fecha de publicación:
26/05/2026
Última modificación:
26/05/2026
Descripción
*** Pendiente de traducción *** luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.
Impacto
Puntuación base 4.0
8.70
Gravedad 4.0
ALTA
Puntuación base 3.x
8.80
Gravedad 3.x
ALTA



