216.73.217.64

CVE-2026-41924

· Published 04/05/2026 20:16 · Modified 04/05/2026 20:16

Labels: CVE-2026-41924 2026-05-04CVE-2026-41924CWE-78[email protected]

Essential information

Published
04/05/2026 20:16
Modified
04/05/2026 20:16
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
tp-link / wdr201a cpe:2.3:h:tp-link:wdr201a:*:*:*:*:*:*:*:*
tp-link / wdr201a firmware cpe:2.3:a:tp-link:wdr201a_firmware:LFMZX28040922V1.02:*:*:*:*:*:*:*

References