Privilege Escalation Vulnerability in luci-app-travelmate by OpenWrt
CVE-2026-58652
7.7HIGH
What is CVE-2026-58652?
The luci-app-travelmate and travelmate package features a vulnerability that enables privilege escalation, allowing unauthorized users to execute arbitrary commands as root. Although the LuCI interface restricts access to specific login scripts, this security measure only exists on the front end. The backend service retains the ability to execute malicious scripts defined in UCI configuration, particularly through the 'script' and 'script_args' parameters, leading to potential system compromise. This flaw was found in version 2.4.5-r3 and persists in 2.4.6-1, with no known patched versions available.
Affected Version(s)
luci-app-travelmate 2.4.5-r3
travelmate 2.4.5-r3
travelmate 2.4.5-r3
