cbcvebase.
CVE-2026-40456
published 2026-06-18

CVE-2026-40456: An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()"…

PriorityP259high8.6CVSS 4.0
AVAACLATNPRLUINVCHVIHVAHSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.95%
56.7th percentile
An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
lmslms< 9fcb4de9fcb4de
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.