luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

Description

luci-app-https-dns-proxy through 2025.12.29-5 — an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default — contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.

Affected Products

Vendor	Product	Versions
openwrt	luci-app-https-dns-proxy	0, < 2026-01-17

References

https://www.exploit-db.com/exploits/52521(exploit)
https://github.com/stangri/luci-app-https-dns-proxy(product)
https://www.vulncheck.com/advisories/luci-app-https-dns-proxy-authenticated-command-injection-via-setinitaction(third-party-advisory)

Related News (2 articles)

Tier C

VulDB15d ago

CVE-2026-46368 | mossdef-org luci-app-https-dns-proxy up to 2025.12.29-5 RPC Call setInitAction Name command injection (Exploit 52521 / EDB-52521)

→ No new info (linked only)

Tier C

Exploit-DB42d ago

[local] OpenWrt 23.05 - Authenticated Remote Code Execution (RCE)

→ No new info (linked only)

CVSS 3.18.8 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-77, CWE-78

PublishedMay 26, 2026

Last enriched15d agov2

luci-app-https-dns-proxy Authenticated Command Injection via setInitAction

Description

Affected Products

References

Related News (2 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History