Totolink A7000R cstecgi.cgi setUploadUserData command injection_CVE-2026-1601

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Basic Information

ID CVE-2026-1601

Source VulDB

Published Jan 29, 2026 at 18:32

Modified Jan 29, 2026 at 18:46

Affected Product

Vendor Totolink

Product A7000R

Version 4.1cu.4154

Affected Versions Totolink A7000R 4.1cu.4154

CWE Classification

CWE-77 CWE-74

References

{
    "lastseen": "",
    "description": "A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.",
    "published": "2026-01-29T18:32:07.938Z",
    "modified": "2026-01-29T18:46:30.566Z",
    "type": "cve",
    "title": "Totolink A7000R cstecgi.cgi setUploadUserData command injection",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.343373\nhttps://vuldb.com/?ctiid.343373\nhttps://vuldb.com/?submit.740760\nhttps://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md\nhttps://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc\nhttps://www.totolink.net/",
    "id": "CVE-2026-1601",
    "bulletinFamily": "",
    "cwe": [
        "CWE-77",
        "CWE-74"
    ],
    "cvelist": null,
    "sourceData": "Totolink A7000R 4.1cu.4154",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "A7000R",
    "version": "4.1cu.4154",
    "vendor": "Totolink",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}