NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-41926

Summary	WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Publication Date	May 5, 2026, 5:16 a.m.
Registration Date	May 6, 2026, 4:07 a.m.
Last Update	May 5, 2026, 5:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html	disclosure@vulncheck.com
2	https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China	disclosure@vulncheck.com
3	https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi	disclosure@vulncheck.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html