Command Injection Vulnerability in Lawnchair Home App for Android
CVE-2026-39866

7.4HIGH

Key Information:

Vendor: Lawnchairlauncher
Status: Lawnchair
Vendor: CVE Published:; 21 April 2026

🔔 Create Lawnchairlauncher Vulnerability Alert

What is CVE-2026-39866?

Lawnchair, a popular open-source home app for Android, was found to be susceptible to a command injection flaw in its workflow dispatch input mechanism. This vulnerability allowed attackers to execute arbitrary code prior to the patch implemented in commit fcba413f55dd47f8a3921445252849126c6266b2. Users are advised to update their applications to the latest version to mitigate this security threat.

Affected Version(s)

lawnchair < fcba413f55dd47f8a3921445252849126c6266b2

References

https://github.com/LawnchairLauncher/lawnchair/security/a...

x_refsource_CONFIRM

https://github.com/LawnchairLauncher/lawnchair/commit/fcb...

x_refsource_MISC

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39866 Data

JSON