CVE-2026-5020

CVSS v2.0

6.5

Medium

AV:N/AC:L/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Totolink A3600R version 4.1.2cu.5182 B20201102

Description A command injection issue exists in the setNoticeCfg function within the /cgi-bin/cstecgi.cgi file of the Parameter Handler component. Manipulation of the NoticeUrl argument can allow remote attackers to execute arbitrary commands. The exploit for this issue is publicly available and may be used to compromise the system.

Recommendations Update the firmware to mitigate the risks. As a temporary workaround, consider restricting access to the /cgi-bin/cstecgi.cgi file.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

CVE-2026-5020

Affected Products

Totolink A3600R

CVE-2026-5020

Weakness Enumeration

Related Identifiers

Affected Products

References · 11