CVE-2026-22209

Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47

Description thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in the parse query() and parse post() functions to achieve remote code execution and perform privileged configuration changes, including root password reset and SSH authorized keys modification, resulting in full persistent device compromise.

wpDiscuz contains a cross-site scripting issue in the customCss field. Administrators can inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads to execute arbitrary JavaScript in user browsers.

Recommendations thingino-firmware versions prior to commit e3f6a41: Update to commit e3f6a41 or later. wpDiscuz versions prior to 7.6.47: Update to version 7.6.47 or later.