CVE-2026-26213

Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to firmware-2026-03-16

Description The software contains an unauthenticated operating system command injection flaw within the WiFi captive portal CGI script. This allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function within the parse query() and parse post() functions to achieve remote code execution and perform privileged configuration changes. These changes include resetting the root password and modifying SSH authorized keys, potentially leading to full and persistent device compromise.

Recommendations Update thingino-firmware to a version later than firmware-2026-03-16.