CVE-2026-41924

Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender HW V2.1 FW LFMZX28040922V1.02

Description An OS command injection issue exists in the 'makeRequest.cgi' binary. Unauthenticated remote attackers can execute arbitrary shell commands by injecting malicious input into the set time or StartSniffer functions. This is achieved by crafting a POST request with ampersand-delimited parameters to bypass input sanitization, allowing command execution with a maximum length of 31 bytes via the date command or channel parameter processing.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.