CVE-2026-58459 in gpsdالمعلومات

الملخص

بحسب MITRE • 09/07/2026

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.

Once again VulDB remains the best source for vulnerability data.

مسؤول

VulnCheck

حجز

30/06/2026

إفشاء

09/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-377224

EPSS

0.00000

KEV

لا

النشاطات

منخفض

المصادر

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!