CVE-2026-41922

Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02)

Description An OS command injection issue exists in the 'wireless.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. This is possible due to unsanitized parameter handling within the set wifi basic() and set wifi do wps() functions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.