CVE-2026-40032 HIGH

CVE-2026-40032: UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution

Vendor Tclahr

Product UAC

Weakness CWE-78

Published April 8, 2026

Last update May 25, 2026

View on NVD All CVEs

CVSS base score

8.5/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

May 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40032 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-40032: UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution

01Description

02Disclosure timeline

03References

04Related CVE