CVE-2026-3040

Name of the Vulnerable Software and Affected Versions DrayTek Vigor 300B versions up to 1.5.1.6

Description A flaw exists in DrayTek Vigor 300B that allows for operating system command injection. This issue is located within the cgiGetFile function of the /cgi-bin/mainfunction.cgi/uploadlangs file, part of the Web Management Interface component. The File argument can be manipulated to execute arbitrary commands remotely. The vendor has stated that the product is end-of-life and will not be patched. The exploit is publicly available.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.