CVE-2026-4480
Critical · CVSS 9.0Samba — OS Command Injection via unescaped shell metacharacters in print job description (CWE-78)
- CVSS
- 9.0
- nvd
- EPSS
- —
- KEV
- No
- Class
- kernel local
- CWE-78
Description
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system.
Search profile — drives PoC discovery
Symbols %Jprint commandjob descriptionprinting subsystemspoolssprintjobshell metacharacterslp_print_command
Keywords CVE-2026-4480Sambaprint command%J substitutionjob description shell injectionSamba RCE printingSamba spoolss command injectionSamba print job description exploit
Candidate PoCs (4) — discovered, not yet vetted or ranked
- TheCyberGeek/CVE-2026-4480-PoC★ 12nomi_sec
- CarlosEduardoPM/CVE-2026-4480-POC★ 1nomi_sec
- robinxiang/CVE-2026-4480★ 1nomi_sec
- 0xBlackash/CVE-2026-4480★ 0nomi_sec
Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.
References
- https://access.redhat.com/errata/RHSA-2026:22644
- https://access.redhat.com/errata/RHSA-2026:22963
- https://access.redhat.com/errata/RHSA-2026:25049
- https://access.redhat.com/errata/RHSA-2026:25979
- https://access.redhat.com/security/cve/CVE-2026-4480
- https://bugzilla.redhat.com/show_bug.cgi?id=2452232
- https://bugzilla.samba.org/show_bug.cgi?id=16033
Status: enriched · ingested 2026-06-16T00:00:58.000Z · profiled 2026-06-16T18:20:23.035Z