← back
CVE-2026-40456

OS Command Injection in LMS

CVSS 8.6 HIGHEPSS 0.9%CWE-78
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.6EPSS 0.9%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
18 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N
Affected products
LMS · LMS