CVE-2026-40456

UNKNOWN 0.0

OS Command Injection in LMS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.

CWE	CWE-78
Vendor	lms
Product	lms
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for lms lms

Be the first to know when new unknown vulnerabilities affecting lms lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LMS / LMS

0 < 9fcb4de

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/chilek/lms/commit/9fcb4de19b7d76394898dbc124252b86b07ac0ed cert.pl: https://cert.pl/posts/2026/06/CVE-2026-40455 lms.org.pl: https://lms.org.pl/

Credits

Tymoteusz Dominik