High severity8.8NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026

CVE-2026-39866

Description

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

Affected products

Lawnchair/Lawnchair
cpe:2.3:a:lawnchair:lawnchair:*:*:*:*:*:*:*:*
Range: <=15.0.0

Patches

fcba413f55dd

Merge commit from fork

https://github.com/LawnchairLauncher/lawnchairSuperDragonXDApr 5, 2026via nvd-ref

commit

1 file changed · +3 −1

.github/workflows/release_update.yml+3 −1 modified

@@ -49,7 +49,9 @@ jobs:
       - name: Build release APK
         run: ./gradlew assembleLawnWithQuickstepGithubRelease
       - name: Rename artifact
-        run: mv build/outputs/apk/**/**/*.apk "${{ github.event.inputs.artifactName }}"
+        env:
+          ARTIFACT_NAME: ${{ github.event.inputs.artifactName }}
+        run: mv build/outputs/apk/**/**/*.apk "$ARTIFACT_NAME"
       - name: Attest
         uses: actions/attest-build-provenance@v4
         with:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2nvdPatch
github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000