CVE-2026-54161
Publication date 6 July 2026
Last updated 10 July 2026
Ubuntu priority
Description
upsmon: remote OS command injection (RCE) via attacker-controlled ups.alarm in NOTIFYCMD execution
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| nut | 26.04 LTS resolute |
Vulnerable, fix deferred
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
The issue was introduced in nut 2.8.3 as of 2026-07-10, the proposed fix has not been commited by nut developers