CRITICAL🇵🇱 Wersja polska

CVE-2026-26791

CVSS 9.8v3.1pub. 2026-03-12upd. 2026-03-16

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

🤖 AI Analysis
How it works

The vulnerability occurs in the enable_echo_server function, which improperly processes the 'port' parameter passed as a string. An attacker can provide crafted input containing malicious system commands that will be executed by the device. The lack of proper input validation and sanitization allows injection and execution of arbitrary code at the operating system level.

Impact

An attacker can gain full control over the device by executing arbitrary system commands, which may lead to breach of confidentiality, integrity, and availability of the system.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until an update is applied, consider restricting access to the device management interface at the network level and isolating the device from untrusted network segments.

Who is affected

GL-iNet GL-AR300M16 with firmware version 4.3.11

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gl Inet Ar300m16

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Ar300m16 Firmware

    OS
    Gl-Inet
    4.3.11
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-26795CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 via parametr module

CVE-2026-26793CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 via set_config

CVE-2026-26792CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 — funkcja set_upgrade

CVE-2024-39225CRITICAL9.8PL ✓ten sam produkt

RCE w firmware GL-iNet — obejście mechanizmu logowania

CVE-2024-39227CRITICAL9.8PL ✓ten sam produkt

GL-iNet: RCE i path traversal w /cgi-bin/glc bez uwierzytelnienia