CVE-2026-1158

HIGH

Totolink Lr350 Firmware - Memory Corruption

Title source: rule

Description

A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

References (5)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.341752

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.341752

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.735728

[Exploit, Third Party Advisory] https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link

[Product] https://www.totolink.net/

Scores

CVSS v3 8.8

EPSS 0.0016

EPSS Percentile 36.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-119 CWE-120

Status published

Products (1)

totolink/lr350_firmware 9.3.5u.6369_b20220309

Published Jan 19, 2026

Tracked Since Feb 18, 2026