CVE-2026-40032
HIGHUAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
Title source: cnaDescription
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.
Scores
CVSS v3
7.8
EPSS
0.0002
EPSS Percentile
5.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
tclahr/UAC
< 3.2.0
tclahr/UAC
3.3.0-rc1
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026