CVE-2026-11448
MEDIUMGL.iNet GL-MT3000 Minidlna Service rpc realpath command injection
Title source: cnaDescription
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-369068 | GL.iNet GL-MT3000 Minidlna Service rpc realpath command injection
https://vuldb.com/vuln/369068
Signature, Permissions Required signature
permissions-required
VDB-369068 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/369068/cti
Third Party Advisory third-party-advisory
CVE-2026-11448 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11448
Third Party Advisory third-party-advisory
Submit #825212 | GL.iNet GL-MT3000 4.4.5 Command Injection
https://vuldb.com/submit/825212
Scores
CVSS v3
4.7
EPSS
0.0158
EPSS Percentile
72.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (7)
GL.iNet/GL-MT3000
4.4.0
GL.iNet/GL-MT3000
4.4.1
GL.iNet/GL-MT3000
4.4.2
GL.iNet/GL-MT3000
4.4.3
GL.iNet/GL-MT3000
4.4.4
GL.iNet/GL-MT3000
4.4.5
GL.iNet/GL-MT3000
4.7
Published
Jun 07, 2026
Tracked Since
Jun 07, 2026