OS Command Injection in LMS_CVE-2026-40456

8.6 / 10

HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Description

An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.

Basic Information

ID CVE-2026-40456

Source CERT-PL

Published Jun 18, 2026 at 10:58

Modified Jun 18, 2026 at 12:29

Affected Product

Vendor LMS

Product LMS

Affected Versions LMS LMS 0

CWE Classification

CWE-78

References

{
    "lastseen": "",
    "description": "An OS Command Injection vulnerability exists in LMS (LAN Management System)\u00a0before commit 9fcb4de due to an IP address parameter being passed to the \"exec()\" function without proper validation, allowing attackers to execute arbitrary operating system commands.",
    "published": "2026-06-18T10:58:51.790Z",
    "modified": "2026-06-18T12:29:40.271Z",
    "type": "cve",
    "title": "OS Command Injection in LMS",
    "source": "CERT-PL",
    "references": "https://github.com/chilek/lms/commit/9fcb4de19b7d76394898dbc124252b86b07ac0ed\nhttps://cert.pl/posts/2026/06/CVE-2026-40455\nhttps://lms.org.pl/",
    "id": "CVE-2026-40456",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "LMS LMS 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LMS",
    "version": "0",
    "vendor": "LMS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}