Command Injection Vulnerability in gpsd Product by ntpsec
CVE-2026-58459

8.4HIGH

Key Information:

Vendor

Ntpsec

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-58459?

The gpsd product is susceptible to a command injection vulnerability that arises from improper handling of the GPS device subtype value in its gpsprof tool. When attackers manipulate the subtype field sourced from a DEVICES JSON log or NMEA PGRMT sentence, they can craft backtick payloads in the gnuplot plot title. This oversight allows malicious users to execute arbitrary shell commands as the gnuplot user when the victim generates a plot, potentially compromising system integrity. A patch has been implemented in version 3.27.6 to address this critical flaw. It’s crucial for users to update their systems to the latest version to mitigate any risk.

Affected Version(s)

gpsd 0 <= 3.27.5

gpsd 0 <= 3.27.5

gpsd 0 <= 4c06658e988f4ced1a7a574ce082a22ef625df56

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CuB3y0nd
VulnCheck
.