CVE Catalog

CVE-2026-36356

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
14.41%

96th percentile — higher than 96% of all known CVEs

Summary

An unauthenticated OS command injection vulnerability exists in the GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1). The attack is possible via the /action/SetRemoteAccessCfg endpoint.

Risk Assessment

An unauthenticated attacker can remotely execute arbitrary system commands on the device, leading to full device compromise and potential network takeover.

Recommendation

Immediately update the firmware of MeiG Smart FORGE_SLT711 devices to a patched version. Until the update is applied, restrict access to the /action/SetRemoteAccessCfg endpoint using a firewall.

Original NVD description (English source)

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS