CVE Catalog

CVE-2026-41926

Critical
Published: Translated: NVD NIST

Summary

The WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary due to insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters, leading to persistent payloads stored in NVRAM.

Risk Assessment

This vulnerability allows attackers to remotely execute commands on the device, potentially leading to system takeover and data leakage. It impacts the security of the entire network in which the device resides.

Recommendation

It is recommended to update the device firmware to the latest version to mitigate this vulnerability. Additionally, implementing further security measures such as monitoring network traffic is advisable.

Original NVD description (English source)

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS