CVE-2026-41926

Name of the Vulnerable Software and Affected Versions WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02)

Description An OS command injection issue exists in the firewall.cgi binary across five request handlers due to insufficient input validation. Attackers can inject arbitrary shell commands using subshell syntax or unfiltered parameters. The affected parameters include websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. Injected payloads persist in NVRAM and re-execute during every subsequent request to firewall.cgi.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.