Skip to main content

Uac CVE-2026-40032

| EUVDEUVD-2026-20775 HIGH
OS Command Injection (CWE-78)
2026-04-08 VulnCheck GHSA-vv2j-m83f-q33j
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 08, 2026 - 22:01 euvd
EUVD-2026-20775
Analysis Generated
Apr 08, 2026 - 22:01 vuln.today
Patch released
Apr 08, 2026 - 22:01 nvd
Patch available
CVE Published
Apr 08, 2026 - 21:35 nvd
HIGH 8.5

DescriptionCVE.org

UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.

AnalysisAI

Command injection in Unix-like Artifacts Collector (UAC) pre-3.3.0-rc1 enables arbitrary code execution through unsanitized placeholder substitution in the _run_command() pipeline. Attackers inject shell metacharacters via %line%, %user%, or %user_home% placeholders processed by foreach iterators and system file parsers, exploiting direct eval() execution without input validation. Exploitation requires local access with user interaction but no authentication, executing commands at UAC process privilege level. No public exploit identified at time of analysis.

Technical ContextAI

Root cause is CWE-78 command injection in _run_command() function where placeholder values from foreach loop iterators and system file parsing undergo string substitution then pass unsanitized to eval(). Shell metacharacter filtering absent before command construction. Attack surface includes any UAC artifact collection workflow processing external file content or user-controlled iteration variables that populate %line%, %user%, %user_home% templates.

RemediationAI

Upgrade to UAC 3.3.0-rc1 or later incorporating upstream fixes that sanitize placeholder substitution inputs before eval() execution. Three security commits address the injection vector: cb95d7166cd47908e1189d9669e43f9a6d3d707f, 50ace60e172e38feb78347bdf579311c23eff078, and d0fca5e36d8d6a33a4404f0f6fe92b0424544589 available via GitHub PR 443. Until patching, restrict UAC execution to trusted artifact collection configurations excluding external file parsing or user-controlled foreach inputs. Validate and whitelist all placeholder sources. Vendor advisory and technical analysis: https://www.vulncheck.com/advisories/uac-rc1-command-injection-via-placeholder-substitution and https://github.com/tclahr/uac/issues/429

Share

CVE-2026-40032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy