The luci-app-tailscale-community package contains a command injection flaw. The flaw resides in the tailscale.do_login RPC, where the supplied loginserver and loginserver_authkey parameters are directly embedded in a double-quoted shell command. Because the parameters are not properly quoted, an attacker with authenticated access can embed shell substitutions like $() in the values, causing the outer shell to execute arbitrary commands as root. This vulnerability satisfies CWE‑78 and permits arbitrary command execution at the highest privilege level.

The affected software is the luci-app-tailscale-community component of the OpenWrt Luci suite. Versions that include the vulnerable implementation lack the proper quoting for the loginserver and loginserver_authkey fields. No specific version ranges are listed in the CNA data, so administrators should review their installed luci-app-tailscale-community packages and consider upgrading whenever a patched release becomes available.

The CVSS score of 7.7 indicates a high severity of potential impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the ability to achieve root-level command execution remains a serious threat. Exploitation requires an authenticated user session to the tailscale.do_login RPC; the attacker can supply malicious payloads that are interpreted by the system shell before executing the intended command. Given the lack of a publicly known exploit at the time of analysis, the risk remains high but contingent on the presence of valid credentials.