Back to overview

CVE-2026-58459

HIGH
7.8
CVSS 3.1
Description
gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.

Metadata

CVE ID
CVE-2026-58459
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-30 20:20 UTC
Published
2026-07-09 16:14 UTC
Last updated
2026-07-09 16:14 UTC
Primary CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Co…
Vendor / Product
ntpsec / gpsd
Sources
cve.org  ·  NVD

Severity & Metrics

7.8 HIGH CVSS 3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
ntpsec gpsd 0 ≤ 3.27.5, 0 ≤ 4c06658e988f4ced1a7a574ce082a22ef625df56
Weakness (CWE)
CWESourceDescription
CWE-78 cna Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.4 HIGH 4.0 cna CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.8 HIGH 3.1 cna CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Back to overview