CVE-2026-55748
MEDIUMOpenstack Horizon - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Title source: ruleDescription
OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability.
References (2)
Core 2
Scores
CVSS v3
6.0
EPSS
0.0019
EPSS Percentile
8.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (4)
OpenStack/Horizon
25.4.0 - 25.5.3
OpenStack/Horizon
25.6.0 - 25.7.4
OpenStack/Horizon
8.0.0 - 25.3.3
pypi/horizon
0 - 25.7.3PyPI
Published
Jun 17, 2026
Tracked Since
Jun 17, 2026