CVE-2026-46368: Improper Neutralization of Special Elements used in a Command ('Command Injection') in mossdef-org luci-app-https-dns-proxy
CVE-2026-46368 is a command injection vulnerability in the luci-app-https-dns-proxy package, an optional LuCI web UI add-on for the https-dns-proxy package used in OpenWrt. The flaw exists in the setInitAction function, where an authenticated user with luci. https-dns-proxy ACL permission can inject shell metacharacters via the 'name' parameter of a ubus RPC call. This injection leads to arbitrary command execution with root privileges on the affected device. The core OpenWrt system is not affected; only installations that have explicitly installed this optional package are vulnerable. There is no vendor advisory or patch information currently available for this vulnerability.
AI Analysis
Technical Summary
The luci-app-https-dns-proxy package through version 2025.12.29-5 contains a command injection vulnerability in the setInitAction function. An authenticated user with the appropriate ACL permission can exploit this by injecting shell metacharacters into the 'name' parameter of a ubus RPC call, resulting in arbitrary command execution as root on the device. This vulnerability affects only systems that have opted to install this optional LuCI add-on and does not impact the core OpenWrt system. No official remediation or patch has been documented yet.
Potential Impact
Successful exploitation allows an authenticated user with luci.https-dns-proxy ACL permission to execute arbitrary commands as root on the underlying device. This can lead to full system compromise, unauthorized control, and potential disruption or manipulation of device functionality. The vulnerability is limited to devices with the optional luci-app-https-dns-proxy package installed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to users with luci.https-dns-proxy ACL permission and consider disabling or uninstalling the luci-app-https-dns-proxy package if it is not required.
CVE-2026-46368: Improper Neutralization of Special Elements used in a Command ('Command Injection') in mossdef-org luci-app-https-dns-proxy
Description
CVE-2026-46368 is a command injection vulnerability in the luci-app-https-dns-proxy package, an optional LuCI web UI add-on for the https-dns-proxy package used in OpenWrt. The flaw exists in the setInitAction function, where an authenticated user with luci. https-dns-proxy ACL permission can inject shell metacharacters via the 'name' parameter of a ubus RPC call. This injection leads to arbitrary command execution with root privileges on the affected device. The core OpenWrt system is not affected; only installations that have explicitly installed this optional package are vulnerable. There is no vendor advisory or patch information currently available for this vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The luci-app-https-dns-proxy package through version 2025.12.29-5 contains a command injection vulnerability in the setInitAction function. An authenticated user with the appropriate ACL permission can exploit this by injecting shell metacharacters into the 'name' parameter of a ubus RPC call, resulting in arbitrary command execution as root on the device. This vulnerability affects only systems that have opted to install this optional LuCI add-on and does not impact the core OpenWrt system. No official remediation or patch has been documented yet.
Potential Impact
Successful exploitation allows an authenticated user with luci.https-dns-proxy ACL permission to execute arbitrary commands as root on the underlying device. This can lead to full system compromise, unauthorized control, and potential disruption or manipulation of device functionality. The vulnerability is limited to devices with the optional luci-app-https-dns-proxy package installed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to users with luci.https-dns-proxy ACL permission and consider disabling or uninstalling the luci-app-https-dns-proxy package if it is not required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-13T19:40:27.809Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15af1f891d628fdc46fa15
Added to database: 5/26/2026, 2:33:03 PM
Last enriched: 5/26/2026, 2:47:16 PM
Last updated: 5/26/2026, 3:39:06 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.