CVE-2026-39866 HIGH

CVE-2026-39866: Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml

Vendor Lawnchairlauncher
Product lawnchair
Weakness CWE-77
Published April 21, 2026
Last update April 25, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 25, 2026 Record updated