CVE-2026-46368

HIGH

luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46368. PoCs published by Ahmet Mersin.

AI-analyzed exploit summary This exploit demonstrates an authenticated command injection vulnerability in OpenWrt's luci-app-https-dns-proxy, allowing a privileged user to escalate to root by injecting commands into the 'setInitAction' function via the 'name' parameter.

Description

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.

Exploits (1)

exploitdb WORKING POC

by Ahmet Mersin · pythonlocalmultiple

https://www.exploit-db.com/exploits/52521

View Code ZIP pw:eip

This exploit demonstrates an authenticated command injection vulnerability in OpenWrt's luci-app-https-dns-proxy, allowing a privileged user to escalate to root by injecting commands into the 'setInitAction' function via the 'name' parameter.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenWrt 23.05 with luci-app-https-dns-proxy (versions prior to 2026-01-17)

Auth required

Prerequisites: Authenticated user with 'setInitAction' permission in luci.https-dns-proxy ACL · Network access to the OpenWrt router

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 26, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-52521

https://www.exploit-db.com/exploits/52521

Product product

Official Product Homepage

https://github.com/stangri/luci-app-https-dns-proxy

Third Party Advisory third-party-advisory

VulnCheck Advisory: luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

https://www.vulncheck.com/advisories/luci-app-https-dns-proxy-authenticated-command-injection-via-setinitaction

Scores

CVSS v3 8.8

EPSS 0.0264

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (1)

mossdef-org/luci-app-https-dns-proxy < 2025.12.29-5

Published May 26, 2026

Tracked Since May 26, 2026