Home / Vulnerability Intelligence / CVE-2026-39866

CVE-2026-39866 - Vulnerability Analysis

N/a

Last Updated: April 21, 2026

Lawnchair - Command Injection

Published: April 21, 2026Updated: April 21, 2026PoC Available

Overview

Lawnchair contains a command injection caused by unsanitized input in release_update.yml workflow dispatch, letting attackers execute arbitrary code remotely, exploit requires crafted workflow dispatch input.

Severity & Score

Severity: N/a

Impact

Attackers can execute arbitrary code remotely, potentially compromising the system.

Mitigation

Update to the version including commit fcba413f55dd47f8a3921445252849126c6266b2 or later.

References

https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2
https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39866
Severity: N/a
Type: command_injection
Status: new

CWE

CWE-77

CVSS Metrics

N/A