CVE Catalog

CVE-2026-40456

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.95%

56th percentile — higher than 56% of all known CVEs

Summary

An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de. The issue arises from an IP address parameter being passed to the 'exec()' function without proper validation, allowing attackers to execute arbitrary operating system commands.

Risk Assessment

This vulnerability poses a serious security risk as it allows attackers to remotely execute commands, potentially leading to system compromise.

Recommendation

It is recommended to update the LMS system to a version after commit 9fcb4de and implement proper input validation mechanisms to prevent command injection.

Original NVD description (English source)

An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS