cvedb.io
CVE-2026-39866
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-04-21T02:16:06.807 · Last modified 2026-06-17T10:42:43.750

Summary

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue.

Affected products

lawnchair — lawnchair

Does this affect you?

Add your gear to cvedb and we'll alert you only when lawnchair ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.