What the vulnerability does

01Description

OpenVPN 2.7_alpha1 through 2.7_beta1 on POSIX based platforms allows a remote authenticated server to inject shell commands via DNS variables when --dns-updown is in use

Key dates

02Disclosure timeline

October 24, 2025 CVE published
February 26, 2026 Record updated