High severity7.8NVD Advisory· Published Apr 8, 2026· Updated Apr 13, 2026
CVE-2026-40032
CVE-2026-40032
Description
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/tclahr/uac/commit/50ace60e172e38feb78347bdf579311c23eff078nvd
- github.com/tclahr/uac/commit/cb95d7166cd47908e1189d9669e43f9a6d3d707fnvd
- github.com/tclahr/uac/commit/d0fca5e36d8d6a33a4404f0f6fe92b0424544589nvd
- github.com/tclahr/uac/issues/429nvd
- github.com/tclahr/uac/pull/443nvd
- mobasi.ai/sentinelnvd
- www.vulncheck.com/advisories/uac-rc1-command-injection-via-placeholder-substitutionnvd
News mentions
0No linked articles in our index yet.