CVE-2026-21915
Shell Command Injection in Juniper JSI vLWC Enables Root Escalation
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: Juniper Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juniper_networks | jsi_virtual_lightweight_collector | to 3.0.94 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Permissive List of Allowed Input issue in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC). It allows a local attacker with high privileges to escalate their privileges to root.
The CLI menu accepts input without properly validating it, which enables shell command injection. These injected shell commands run with root permissions, allowing the attacker to gain complete control over the system.
This affects all JSI vLWC versions before 3.0.94.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can escalate their privileges to root on the affected system.
With root access, the attacker can execute arbitrary commands with full system control, potentially leading to data theft, system manipulation, disruption of services, or further compromise of the network.