Home

Description

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.

PUBLISHED Reserved 2026-06-30 | Published 2026-07-09 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
affected

Any version
affected

Any version
affected

Credits

CuB3y0nd finder

VulnCheck coordinator

References

gitlab.com/gpsd/gpsd/-/work_items/404 issue-tracking

github.com/...ommit/5581ba196d826a984fbfaf792b7d58535f9911ce (Patch Commit (1)) patch

github.com/...ommit/1a6bb7bcbdf58aa940132e630870af061dc88537 (Patch Commit (2)) patch

github.com/...ommit/4c06658e988f4ced1a7a574ce082a22ef625df56 (Patch Commit (3)) patch

www.vulncheck.com/...on-via-gnuplot-plot-title-subtype-field third-party-advisory

cve.org (CVE-2026-58459)

nvd.nist.gov (CVE-2026-58459)

Download JSON