Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection_CVE-2026-1326

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Basic Information

ID CVE-2026-1326

Source VulDB

Published Jan 22, 2026 at 13:32

Modified Jan 22, 2026 at 20:18

Affected Product

Vendor Totolink

Product NR1800X

Version 9.1.0u.6279_B20210910

Affected Versions Totolink NR1800X 9.1.0u.6279_B20210910

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.",
    "published": "2026-01-22T13:32:08.210Z",
    "modified": "2026-01-22T20:18:53.691Z",
    "type": "cve",
    "title": "Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.342302\nhttps://vuldb.com/?ctiid.342302\nhttps://vuldb.com/?submit.735787\nhttps://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link\nhttps://www.totolink.net/",
    "id": "CVE-2026-1326",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "Totolink NR1800X 9.1.0u.6279_B20210910",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "NR1800X",
    "version": "9.1.0u.6279_B20210910",
    "vendor": "Totolink",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}