{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39866", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.379Z", "datePublished": "2026-04-21T01:19:47.510Z", "dateUpdated": "2026-04-25T03:55:32.652Z"}, "containers": {"cna": {"title": "Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427"}, {"name": "https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2"}], "affected": [{"vendor": "LawnchairLauncher", "product": "lawnchair", "versions": [{"version": "< fcba413f55dd47f8a3921445252849126c6266b2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:19:47.510Z"}, "descriptions": [{"lang": "en", "value": "Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue."}], "source": {"advisory": "GHSA-9prc-pp2c-3427", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-39866"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T03:55:32.652Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39866", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T13:45:48.161801Z"}}}], "references": [{"url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T15:56:14.076Z"}}], "cna": {"title": "Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml", "source": {"advisory": "GHSA-9prc-pp2c-3427", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "LawnchairLauncher", "product": "lawnchair", "versions": [{"status": "affected", "version": "< fcba413f55dd47f8a3921445252849126c6266b2"}]}], "references": [{"url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427", "name": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2", "name": "https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T01:19:47.510Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39866", "state": "PUBLISHED", "dateUpdated": "2026-04-25T03:55:32.652Z", "dateReserved": "2026-04-07T19:13:20.379Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T01:19:47.510Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lawnchair:lawnchair:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9AEE918-9914-4848-A719-56ACA7B7A93D", "versionEndIncluding": "15.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue."}], "id": "CVE-2026-39866", "lastModified": "2026-04-23T18:26:17.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T02:16:06.807", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,fcba413f55dd47f8a3921445252849126c6266b2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lawnchair", "source": "cna", "vendor": "LawnchairLauncher"}, "product": "lawnchair", "vendor": "lawnchairlauncher"}], "analysis": {"en": {"generated_at": "2026-04-22T03:24:44.941304+00:00", "value": {"mitigation_remediation": ["Apply the patch commit fcba413f55dd47f8a3921445252849126c6266b2 to update the release_update.yml workflow. ", "Restrict workflow dispatch permissions so that only trusted users or teams can trigger release_update.yml. ", "Configure branch protection on the release_update.yml file to prevent unauthorized edits."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected software is Lawnchair, an open\u2011source Android home app maintained by LawnchairLauncher. All releases that include the vulnerable workflow file before the commit fcba413f55dd47f8a3921445252849126c6266b2 are susceptible. Applying the referenced commit or any later release that incorporates it removes the flaw.", "description_and_impact": "A command injection vulnerability has been identified in the release_update.yml workflow of Lawnchair. The flaw arises because user\u2011supplied input is not properly quoted, allowing shell metacharacters to be interpreted by the GitHub Actions runner. This is a CWE\u201177 condition that enables attackers who can trigger the workflow dispatch to run arbitrary shell commands, effectively achieving remote code execution in the runner environment.", "risk_and_exploitability": "The CVSS score of 7.4 classifies this defect as high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can invoke the release_update.yml workflow with sufficient permissions; the likely attack vector is an authorized user or compromised credentials capable of dispatching the workflow, after which arbitrary code would execute on the runner host."}}}}, "created": "2026-04-22T03:30:06.688120+00:00", "updated": "2026-04-22T11:46:59.130151+00:00", "vendors": ["lawnchairlauncher", "lawnchairlauncher$PRODUCT$lawnchair"]}