Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection_CVE-2026-1150

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

Basic Information

ID CVE-2026-1150

Source VulDB

Published Jan 19, 2026 at 10:32

Affected Product

Vendor Totolink

Product LR350

Version 9.3.5u.6369_B20220309

Affected Versions Totolink LR350 9.3.5u.6369_B20220309

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.",
    "published": "2026-01-19T10:32:07.749Z",
    "modified": "2026-01-19T10:32:07.749Z",
    "type": "cve",
    "title": "Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.341743\nhttps://vuldb.com/?ctiid.341743\nhttps://vuldb.com/?submit.735696\nhttps://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link\nhttps://www.totolink.net/",
    "id": "CVE-2026-1150",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "Totolink LR350 9.3.5u.6369_B20220309",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LR350",
    "version": "9.3.5u.6369_B20220309",
    "vendor": "Totolink",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}