Command Injection Vulnerability in UAC by tclahr
CVE-2026-40032

8.5HIGH

Key Information:

Vendor: Tclahr
Status: Uac
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-40032?

The UAC application prior to version 3.3.0-rc1 has a significant command injection vulnerability within its placeholder substitution and command execution pipeline. This vulnerability arises when the _run_command() function passes command strings directly to the eval function without adequate sanitization. Attackers can exploit this weakness by injecting shell metacharacters or command substitutions through manipulated inputs. Specifically, values derived from system files, such as %user% and %user_home%, as well as %line% values from foreach iterators, can allow for arbitrary command execution with the privileges of the UAC process.

Affected Version(s)

UAC 0 <= 3.2.0

UAC 3.3.0-rc1

References

https://github.com/tclahr/uac/pull/443

product

https://github.com/tclahr/uac/commit/cb95d7166cd47908e118...

patch

https://github.com/tclahr/uac/commit/50ace60e172e38feb783...

patch

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Mobasi Security Team

CVE-2026-40032 Data

JSON

Tclahr

What is CVE-2026-40032?

Affected Version(s)

References

CVSS V4

Timeline

Credit