CVE-2026-58459
Received Received - Intake

Command Injection in gpsd via gpsprof gnuplot Title

Vulnerability report for CVE-2026-58459, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The subtype field sourced from a DEVICES JSON log entry or NMEA PGRMT sentence is written into a generated gnuplot program via a set title statement with only double-quote characters escaped, enabling arbitrary shell command execution as the user running gnuplot when the victim renders the generated plot through the gpsprof and gnuplot workflow.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ntpsec gpsd to 3.27.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58459 is a command injection vulnerability in the gpsprof tool of gpsd versions up to 3.27.5. It occurs because the subtype field from GPS device metadata, which can be controlled by an attacker, is inserted into a gnuplot plot title without proper escaping. Specifically, only double-quote characters are escaped, but backtick characters are not, allowing an attacker to embed backtick payloads that execute arbitrary shell commands when the victim renders the plot using gpsprof and gnuplot.

The subtype value is sourced from either a DEVICES JSON log entry or an NMEA PGRMT sentence. Because the input is not properly sanitized, an attacker can inject malicious commands that run with the privileges of the user running gnuplot.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary shell commands on the system where gpsprof and gnuplot are used to render GPS device data plots. The commands run with the privileges of the user executing gnuplot, which could lead to unauthorized access, data manipulation, or disruption of services.

The impact includes potential compromise of confidentiality, integrity, and availability of the affected system. Although the vulnerability does not grant root privileges by itself, if gnuplot is run with elevated permissions, the attacker could gain higher-level control.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or malformed GPS device subtype values that include backtick (`) characters or other command-substitution syntax in DEVICES JSON log entries or NMEA PGRMT sentences.

Detection can involve inspecting logs or network traffic for GPS metadata containing backticks or unusual characters in the subtype field that could be used to inject shell commands.

Specific commands to detect exploitation attempts might include searching logs or input data for backticks or suspicious patterns, for example:

  • grep -r '\`' /path/to/gpsd/logs
  • tcpdump -A -s 0 port 2947 | grep '\`'
  • Inspect NMEA sentences for PGRMT sentences containing backticks or unusual characters.

Additionally, monitoring for unexpected execution of gnuplot or unusual gnuplot plot titles containing backticks could help identify exploitation.

Mitigation Strategies

The immediate mitigation step is to update gpsd to a version that includes the fix for this vulnerability, specifically the commit 4c06658 or later, which properly escapes backticks and other special characters in the gpsprof tool.

If updating is not immediately possible, avoid processing untrusted GPS device subtype data or rendering plots with gpsprof and gnuplot from untrusted sources.

Restrict access to gpsd and gpsprof services to trusted users and networks to reduce the risk of exploitation.

Consider monitoring and filtering input data to gpsd to prevent injection of malicious subtype values containing backticks or command substitution syntax.

Compliance Impact

The CVE-2026-58459 vulnerability allows attackers to execute arbitrary shell commands through a command injection flaw in gpsprof when processing GPS device subtype values. This can lead to unauthorized command execution with the privileges of the user running gnuplot.

Such unauthorized command execution can compromise the confidentiality, integrity, and availability of systems processing GPS data, potentially leading to data breaches or system disruptions.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to execute arbitrary commands and potentially access or manipulate sensitive data could result in violations of these regulations, which require protection of personal and sensitive information.

Organizations using affected versions of gpsd should consider this vulnerability a risk to compliance frameworks that mandate strict controls on data security and system integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart