Command Injection Vulnerability in luci-app-tailscale-community by OpenWRT
CVE-2026-57999

7.7HIGH

Key Information:

Vendor: Openwrt
Status: Luci
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57999?

The luci-app-tailscale-community for OpenWRT has a command injection flaw in its tailscale.do_login RPC method. This vulnerability arises when user-controlled parameters, specifically loginserver and loginserver_authkey, are improperly handled in a shell command context. As such, authenticated users may exploit this vulnerability to execute arbitrary commands with root privileges, due to improper quoting leading to shell substitutions being evaluated before they should be. This poses significant security risks to affected systems.

Affected Version(s)

luci 0 <= 0.11.1

References

https://github.com/openwrt/luci/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/luci-app-tailscale-c...

third-party-advisory

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

lujie (@lujiefsi)

CVE-2026-57999 Data

JSON

Openwrt

What is CVE-2026-57999?

Affected Version(s)

References

CVSS V4

Timeline

Credit