CVE-2026-2823

CVSS v3.1

8.8

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Comfast CF-E7 version 2.6.0.9

Description A command injection issue exists due to manipulation of the

timestr

argument in the

sub 41ACCC

function of the

/cgi-bin/mbox-config?method=SET&section=ntp timezone

file within the webmggnt component. This allows for remote execution of commands. The exploit is publicly available. The vendor was notified but did not respond.

Recommendations Versions prior to 2.6.0.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

CVE-2026-2823

Affected Products

Comfast Cf-E7

CVE-2026-2823

Weakness Enumeration

Related Identifiers

Affected Products

References · 5