CVE-2026-40032

Source
https://cve.org/CVERecord?id=CVE-2026-40032
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40032.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40032
Published
2026-04-08T21:35:27.020Z
Modified
2026-07-08T08:14:03.830750184Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
Details

UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the runcommand() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40032.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/tclahr/uac

Affected ranges

Type
GIT
Repo
https://github.com/tclahr/uac
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.0-rc1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v2.*
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40032.json"