What is CVE-2026-39866?

CVE-2026-39866 is a vulnerability in Lawnchairlauncher Lawnchair, classified under Command Injection. Published 2026-04-21.

Is CVE-2026-39866 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Lawnchairlauncher Lawnchair

CVE-2026-39866

Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a39214…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.001 (22.1th percentile) — read the EPSS interpretation.

Affected products

Lawnchairlauncher Lawnchair — versions < fcba413f55dd47f8a3921445252849126c6266b2

Weakness classification (CWE)

CWE-77 — Command Injection

Public proof-of-concept exploits

abhayclasher/CVE-2026-39866

References

https://github.com/LawnchairLauncher/lawnchair/security/advisories/GHSA-9prc-pp2c-3427 (x_refsource_CONFIRM)
https://github.com/LawnchairLauncher/lawnchair/commit/fcba413f55dd47f8a3921445252849126c6266b2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39866?: CVE-2026-39866 is a vulnerability in Lawnchairlauncher Lawnchair, classified under Command Injection. Published 2026-04-21.
Is CVE-2026-39866 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.