CVE-2026-5691

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024

Description The setFirewallType() function within the '/cgi-bin/cstecgi.cgi' endpoint fails to properly neutralize special characters used in operating system commands when processing the firewallType parameter. This allows a remote attacker to bypass security restrictions and execute arbitrary OS commands (OS command injection is a flaw where an attacker can execute system-level commands on a host operating system via a vulnerable application).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.