CVE-2026-57999
HighCVSS 8.8Exploitation Probability (EPSS)
Elevated risk64th percentile — higher than 64% of all known CVEs
Summary
A command injection vulnerability in luci-app-tailscale-commons allows authenticated users to execute arbitrary commands as root via the tailscale.do_login RPC method. The issue stems from improper quoting of the loginserver and loginserver_authkey parameters within a double-quoted shell command, enabling shell substitutions like $() to be evaluated.
Risk Assessment
An attacker with administrative panel access can gain full control over the device, execute arbitrary commands, modify configuration, or install malware.
Recommendation
Immediately update the luci-app-tailscale-commons package to a version that fixes the parameter quoting. If no update is available, temporarily restrict administrative panel access to trusted users only.
Original NVD description (English source)
luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the outer shell before argument processing.

