CVE-2026-41923

Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02)

Description An OS command injection issue exists in the 'internet.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. This occurs due to unsanitized parameter concatenation within the set add routing() function, where commands are executed via popen(), and partial output is reflected in the HTTP response.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.