CRITICAL🇵🇱 Wersja polska

CVE-2026-26795

CVSS 9.8v3.1pub. 2026-03-12upd. 2026-03-16

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

🤖 AI Analysis
How it works

The vulnerability occurs in the handling of the 'module' parameter passed to the M.get_system_log function. Input data is not properly validated or sanitized before being passed to the system command interpreter. An attacker can craft a malicious payload containing additional system commands that will be executed in the context of the device.

Impact

An attacker can execute arbitrary system commands on the vulnerable device, leading to complete compromise of confidentiality, integrity, and availability of the system — including potential takeover of full control over the router.

Mitigation & patch

Apply patches available from the manufacturer according to the references. It is recommended to restrict access to the device management interface only to trusted networks and disable remote access to the admin panel if not required.

Who is affected

GL-iNet GL-AR300M16 Firmware version 4.3.11

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gl Inet Ar300m16

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Ar300m16 Firmware

    OS
    Gl-Inet
    4.3.11
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-26793CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 via set_config

CVE-2026-26792CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 — funkcja set_upgrade

CVE-2026-26791CRITICAL9.8PL ✓ten sam produkt

Command injection w GL-iNet GL-AR300M16 — wykonanie dowolnych poleceń

CVE-2024-39225CRITICAL9.8PL ✓ten sam produkt

RCE w firmware GL-iNet — obejście mechanizmu logowania

CVE-2024-39227CRITICAL9.8PL ✓ten sam produkt

GL-iNet: RCE i path traversal w /cgi-bin/glc bez uwierzytelnienia