CVE-2026-26792

Name of the Vulnerable Software and Affected Versions GL-iNet GL-AR300M16 version 4.3.11

Description The GL-iNet GL-AR300M16 device contains multiple command injection flaws within the set upgrade function. These flaws are triggered through manipulation of the modem url, target version, current version, firmware upload, hash type, hash value, and upgrade type parameters. Successful exploitation allows attackers to execute arbitrary commands.

Recommendations Versions prior to 4.3.11 are potentially affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.