The problem specifically exists within the feature to execute local cgi-bin programs via the "lynxcgi:" URI handler. The handler is generally intended to be restricted to a specific directory or program(s). However, due to a configuration error on multiple platforms, the default settings allow for arbitrary websites to specify commands to run as the user running Lynx.
Successful exploitation of the described vulnerability allows remote attackers to execute arbitrary commands with the privileges of the underlying user. Exploitation requires that an attacker convince a target user to follow a malicious link from within a vulnerable version of Lynx. The "lynxexec" and "lynxprog" URI handlers can also be used to trigger the issue. However, they are rarely compiled into the Lynx binary.
Workaround:
Disable "lynxcgi" links by specifying the following directive in lynx.cfg:
TRUSTED_LYNXCGI:none
