CVE 8.7 HIGH

Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow_CVE-2026-1158

January 19, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

AI Analysis

Buffer overflow in Totolink LR350 via manipulation of the ssid argument in the setWizardCfg function of the /cgi-bin/cstecgi.cgi file, allowing remote attacks.

Basic Information

ID CVE-2026-1158

Source VulDB

Published Jan 19, 2026 at 14:32

Affected Product

Vendor Totolink

Product LR350

Version 9.3.5u.6369_B20220309

Affected Versions Totolink LR350 9.3.5u.6369_B20220309

CWE Classification

CWE-120 CWE-119

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Totolink

Product LR350

Version 9.3.5u.6369_B20220309

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.",
    "published": "2026-01-19T14:32:08.100Z",
    "modified": "2026-01-19T14:32:08.100Z",
    "type": "cve",
    "title": "Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.341752\nhttps://vuldb.com/?ctiid.341752\nhttps://vuldb.com/?submit.735728\nhttps://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link\nhttps://www.totolink.net/",
    "id": "CVE-2026-1158",
    "bulletinFamily": "",
    "cwe": [
        "CWE-120",
        "CWE-119"
    ],
    "cvelist": null,
    "sourceData": "Totolink LR350 9.3.5u.6369_B20220309",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LR350",
    "version": "9.3.5u.6369_B20220309",
    "vendor": "Totolink",
    "ai_description": "Buffer overflow in Totolink LR350 via manipulation of the ssid argument in the setWizardCfg function of the /cgi-bin/cstecgi.cgi file, allowing remote attacks.",
    "ai_severity": "High",
    "ai_vendor": "Totolink",
    "ai_product": "LR350",
    "ai_version": "9.3.5u.6369_B20220309",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply