216.73.217.64

CVE-2026-41923

· Published 04/05/2026 20:16 · Modified 04/05/2026 20:16

Labels: CVE-2026-41923 2026-05-04CVE-2026-41923CWE-78[email protected]

Essential information

Published
04/05/2026 20:16
Modified
04/05/2026 20:16
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
tp-link / wdr201a cpe:2.3:a:tp-link:wdr201a:*:*:*:*:*:*:*:*
tp-link / wdr201a cpe:2.3:h:tp-link:wdr201a:*:*:*:*:*:*:*:*

References