Is CVE-2026-58000 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-58000?

CVE-2026-58000 has a CVSS v3 severity of HIGH (8.8).

Back

CVE-2026-58000

Description

luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.