Skip to main content

Jsi Lwc CVE-2026-21915

| EUVDEUVD-2026-21078 HIGH
Permissive List of Allowed Inputs (CWE-183)
2026-04-09 juniper GHSA-r893-59mm-pxrg
8.4
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X

Primary rating from Vendor (juniper) · only source for this CVE.

CVSS VectorVendor: juniper

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:M/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:00 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.0.94
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21078
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
CVE Published
Apr 09, 2026 - 21:26 nvd
HIGH 8.4

DescriptionCVE.org

A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root.

The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system.

This issue affects all JSI vLWC versions before 3.0.94.

AnalysisAI

Command injection in Juniper Networks Support Insights Virtual Lightweight Collector (JSI vLWC) CLI enables local high-privileged attackers to escalate privileges to root. Inadequate input validation in the CLI menu permits shell command injection, with injected commands executing at root level. All JSI vLWC versions before 3.0.94 affected. CVSS 8.4 (High severity, local vector). Requires high-level existing privileges (PR:H). No public exploit identified at time of analysis.

Technical ContextAI

Vulnerability stems from CWE-183 (Permissive List of Allowed Inputs) implementation flaw in CLI menu processing. Shell metacharacters or command sequences bypass input sanitization, enabling arbitrary command execution via insufficient input validation. Commands inherit root context from CLI process, converting local high-privilege access to complete system control. Affects cpe:2.3:a:juniper_networks:jsi_lwc across all pre-3.0.94 releases.

RemediationAI

Vendor-released patch: Upgrade JSI vLWC to version 3.0.94 or later to remediate command injection vulnerability. This version includes corrected input validation logic for CLI menu processing. Organizations unable to immediately upgrade should restrict local administrative access to JSI vLWC systems, enforce multi-factor authentication for high-privilege accounts, and implement monitoring for abnormal CLI activity patterns. No effective workaround exists for environments requiring CLI access; upgrade is mandatory mitigation. Full vendor advisory and technical details: https://kb.juniper.net/JSA106016. Deployment priority should align with local access control posture and presence of high-privileged user accounts.

Share

CVE-2026-21915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy