CVE-2026-46368

luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

CVSS 8.7 HIGHEPSS 2.7%CWE-77

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

mossdef-org · luci-app-https-dns-proxy

public PoCs found — 2

githubgithub.com/iwallplace/CVE-2026-46368-OpenWrt-Exploit★ 1 cve_referencewww.exploit-db.com/exploits/52521unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/stangri/luci-app-https-dns-proxy https://www.exploit-db.com/exploits/52521 https://www.vulncheck.com/advisories/luci-app-https-dns-proxy-authenticated-command-injection-via-setinitaction