CVE 8.8 HIGH

CVE-2026-36960_CVE-2026-36960

April 30, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.

AI Analysis

Cross-Site Request Forgery (CSRF) vulnerability in the web management interface

Basic Information

ID CVE-2026-36960

Source mitre

Published Apr 30, 2026 at 00:00

Modified Apr 30, 2026 at 17:08

Affected Product

Vendor U-SPEED

Product U-SPEED N300 Router

Version V1.0.0

Affected Versions n/a n/a n/a

CWE Classification

CWE-352

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor U-SPEED

Product N300 Router

Version V1.0.0

References

{
    "lastseen": "",
    "description": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.",
    "published": "2026-04-30T00:00:00.000Z",
    "modified": "2026-04-30T17:08:13.854Z",
    "type": "cve",
    "title": "CVE-2026-36960",
    "source": "mitre",
    "references": "http://u-speed.com\nhttps://github.com/kirubel-cve/CVE-2026-36960",
    "id": "CVE-2026-36960",
    "bulletinFamily": "",
    "cwe": [
        "CWE-352"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "U-SPEED N300 Router",
    "version": "V1.0.0",
    "vendor": "U-SPEED",
    "ai_description": "Cross-Site Request Forgery (CSRF) vulnerability in the web management interface",
    "ai_severity": "High",
    "ai_vendor": "U-SPEED",
    "ai_product": "N300 Router",
    "ai_version": "V1.0.0",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply