CVE-2026-1149

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Totolink LR350 version 9.3.5u.6369 B20220309

Description A flaw exists in the Totolink LR350 device. This issue is located within the setDiagnosisCfg function of the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. Manipulation of the ip argument can result in command injection. The attack can be initiated remotely. The exploit is publicly available.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /cgi-bin/cstecgi.cgi file.

Exploit

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2026-00612

CVE-2026-1149

Affected Products

Totolink Lr350

CVE-2026-1149

Weakness Enumeration

Related Identifiers

Affected Products

References · 11