CVE-2026-39866

HIGH

Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39866. PoCs published by abhayclasher.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-39866, demonstrating a command injection vulnerability in GitHub Actions workflow dispatch due to unquoted user input. The PoC includes both vulnerable and patched versions for comparison.

Description

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

Exploits (1)

nomisec WORKING POC
by abhayclasher · poc
https://github.com/abhayclasher/CVE-2026-39866

This repository contains a functional proof-of-concept for CVE-2026-39866, demonstrating a command injection vulnerability in GitHub Actions workflow dispatch due to unquoted user input. The PoC includes both vulnerable and patched versions for comparison.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: LawnchairLauncher/lawnchair (versions below fcba413)
No auth needed
Prerequisites: Node.js 18 or later · Docker (optional)
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0235
EPSS Percentile 81.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (2)
lawnchair/lawnchair < 15.0.0
LawnchairLauncher/lawnchair < fcba413f55dd47f8a3921445252849126c6266b2
Published Apr 21, 2026
Tracked Since Apr 21, 2026