CVE Catalog

CVE-2026-11451

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Summary

A flaw has been found in GL.iNet GL-MT3000 version 4.4.5, affecting the snprintf function in the /cgi-bin/glc file of the FTP Protocol Handler component. Manipulating the media_dir argument can lead to remote command injection.

Risk Assessment

An attacker could remotely exploit this vulnerability to execute unauthorized commands on the device, posing a significant security risk.

Recommendation

It is recommended to upgrade to version 4.8.1, which fixes this issue by properly escaping the media_dir argument before execution.

Original NVD description (English source)

A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."

Vulnerability data from NVD (NIST) · CISA KEV · EPSS