CVE-2026-39866

UNKNOWN 0.0

Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

CWE	CWE-77
Vendor	lawnchairlauncher
Product	lawnchair
Published	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for lawnchairlauncher lawnchair

Be the first to know when new unknown vulnerabilities affecting lawnchairlauncher lawnchair are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LawnchairLauncher / lawnchair

< fcba413f55dd47f8a3921445252849126c6266b2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427 github.com: https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2