CVE-2026-40456
Published: 18 June 2026
Summary
CVE-2026-40456 is a high-severity OS Command Injection (CWE-78) vulnerability in Cert (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-37875
- 🇵🇱 CERT-PL: cert.pl
Vulnerability details
An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the "exec()" function without proper validation, allowing attackers to execute arbitrary operating system commands.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unsanitized input to exec() directly enables arbitrary command execution (T1059); the flaw is in a management web app, enabling exploitation of a public-facing application (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.