Description
UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.
Published: 2026-04-08
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution
Action: Patch Immediately
AI Analysis

Impact

UAC (Unix-like Artifacts Collector) that processes log or system files builds command strings by interpolating placeholder values and then passes them to eval without sanitization. This flaw, identified as CWE‑78, permits a malicious actor to inject shell metacharacters or command substitutions through attacker‑controlled inputs such as %line% values from foreach iterators and system‑derived %user% or %user_home% placeholders. The result is arbitrary command execution with the privileges of the UAC process.

Affected Systems

Affected are installations of UAC by tclahr before version 3.3.0‑rc1. The vulnerability resides in the placeholder substitution logic of the _run_command function and is present in all releases up to, but not including, 3.3.0‑rc1. No other versions are known to be impacted.

Risk and Exploitability

The CVSS score is 8.5, indicating high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through manipulation of input data that UAC consumes; based on the description, it is inferred that an attacker who can supply crafted values to the placeholder substitution (for example by creating or modifying log entries that UAC processes) can trigger the eval path and execute arbitrary commands. This attack does not require complex prerequisites beyond controlling the input data, making it relatively straightforward for an attacker with access to the affected system.

Generated by OpenCVE AI on April 8, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UAC to version 3.3.0‑rc1 or later.
  • Verify that the upgrade has been successfully applied and the UAC process no longer uses the insecure eval path.

Generated by OpenCVE AI on April 8, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Tclahr
Tclahr uac
Vendors & Products Tclahr
Tclahr uac

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description UAC (Unix-like Artifacts Collector) before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the _run_command() function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell metacharacters or command substitutions through attacker-controlled inputs including %line% values from foreach iterators and %user% / %user_home% values derived from system files to achieve arbitrary command execution with the privileges of the UAC process.
Title UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tclahr Uac
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:13.643Z

Reserved: 2026-04-08T13:36:53.761Z

Link: CVE-2026-40032

cve-icon Vulnrichment

Updated: 2026-04-09T19:32:40.243Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T22:16:23.827

Modified: 2026-06-17T10:44:38.260

Link: CVE-2026-40032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:50Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')