CVE-2026-55748

Summary

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability.

Affected Software

VendorProductVersion RangeStatus
OpenStackHorizon8.0.0 < 25.3.3affected
OpenStackHorizon25.4.0 < 25.5.3affected
OpenStackHorizon25.6.0 < 25.7.4affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References