Command Injection Vulnerability in gpsd Product by ntpsec
CVE-2026-58459
8.4HIGH
What is CVE-2026-58459?
The gpsd product is susceptible to a command injection vulnerability that arises from improper handling of the GPS device subtype value in its gpsprof tool. When attackers manipulate the subtype field sourced from a DEVICES JSON log or NMEA PGRMT sentence, they can craft backtick payloads in the gnuplot plot title. This oversight allows malicious users to execute arbitrary shell commands as the gnuplot user when the victim generates a plot, potentially compromising system integrity. A patch has been implemented in version 3.27.6 to address this critical flaw. It’s crucial for users to update their systems to the latest version to mitigate any risk.
Affected Version(s)
gpsd 0 <= 3.27.5
gpsd 0 <= 3.27.5
gpsd 0 <= 4c06658e988f4ced1a7a574ce082a22ef625df56
