CVE-2026-40032

HighPublic PoC

Published: 08 April 2026

Published

08 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40032 is a high-severity OS Command Injection (CWE-78) vulnerability in Mobasi (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of attacker-controlled inputs like %line%, %user%, and %user_home% before substitution into command strings passed to eval, preventing command injection.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and timely patching of the specific command injection flaw in UAC's _run_command() function via available GitHub commits.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for the UAC process, limiting the privileges available for arbitrary commands executed through injected shell metacharacters.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection vulnerability enables local arbitrary command execution via Unix shell in a client tool (T1203 Exploitation for Client Execution and T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command…

substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.

Deeper analysisAI

CVE-2026-40032 is a command injection vulnerability (CWE-78) affecting UAC (Unix-like Artifacts Collector) versions before 3.3.0-rc1. The issue resides in the placeholder substitution and command execution pipeline, where the _run_command() function constructs command strings from potentially attacker-controlled inputs and passes them directly to eval without proper sanitization. Vulnerable inputs include %line% values from foreach iterators and %user% / %user_home% values derived from system files.

With a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the vulnerability can be exploited by a local attacker requiring user interaction. By injecting shell metacharacters or command substitutions through the controlled inputs, the attacker achieves arbitrary command execution with the privileges of the UAC process.

Mitigation patches are provided in the uac GitHub repository via commits 50ace60e172e38feb78347bdf579311c23eff078, cb95d7166cd47908e1189d9669e43f9a6d3d707f, and d0fca5e36d8d6a33a4404f0f6fe92b0424544589. Additional details and discussion appear in issue #429 and pull request #443.