CVE-2026-40456
HIGHLMS < 9fcb4de IP Address Parameter - OS Command Injection
Title source: manualDescription
An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
https://cert.pl/posts/2026/06/CVE-2026-40455
Product product
https://lms.org.pl/
Scores
CVSS v4
8.6
EPSS
0.0095
EPSS Percentile
56.5%
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
LMS/LMS
< 9fcb4de
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026