{"id":"CVE-2026-39866","summary":"Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml","details":"Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.","aliases":["GHSA-9prc-pp2c-3427"],"modified":"2026-07-08T07:10:43.241444Z","published":"2026-04-21T01:19:47.510Z","database_specific":{"cwe_ids":["CWE-77"],"cna_assigner":"GitHub_M","unresolved_ranges":[{"extracted_events":[{"fixed":"fcba413f55dd47f8a3921445252849126c6266b2"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39866.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39866.json"},{"type":"ADVISORY","url":"https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39866"},{"type":"FIX","url":"https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lawnchairlauncher/lawnchair","events":[{"introduced":"0"},{"fixed":"fcba413f55dd47f8a3921445252849126c6266b2"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v15.0.0-beta2","v15.0.0-beta1","v14.0.0-beta3","v14.0.0-beta2","v14.0.0-beta1","v12.1.0-alpha.4","v12.1.0-alpha.3","v12.1.0-alpha.2","v12.1.0-alpha.1","v12.0.0-alpha.5","v12.0-alpha.4","v12.0-alpha.3","v12.0-alpha.2","v12.0-alpha.1","v11.0-alpha.6.1","v11.0-alpha.6","v11.0-alpha.1","android-11.0.0_r31","android-11.0.0_r29","android-11.0.0_r28","android-11.0.0_r27","android-11.0.0_r26","android-11.0.0_r24","android-11.0.0_r23","android-11.0.0_r22","android-11.0.0_r21","android-11.0.0_r20","android-11.0.0_r19","android-11.0.0_r18","android-7.1.2_r9","android-7.1.2_r8","android-7.1.2_r6","android-7.1.2_r5","android-7.1.2_r4","android-7.1.2_r39","android-7.1.2_r38","android-7.1.2_r37","android-7.1.2_r36","android-7.1.2_r33","android-7.1.2_r32","android-7.1.2_r30","android-7.1.2_r3","android-7.1.2_r29","android-7.1.2_r28","android-7.1.2_r27","android-7.1.2_r25","android-7.1.2_r24","android-7.1.2_r23","android-7.1.2_r2","android-7.1.2_r19","android-7.1.2_r18","android-7.1.2_r17","android-7.1.2_r16","android-7.1.2_r15","android-7.1.2_r14","android-7.1.2_r13","android-7.1.2_r12","android-7.1.2_r11","android-7.1.2_r10","android-7.1.2_r1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39866.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}]}