CVE-2026-12186
HIGHGL.iNet GL-MT3000 Tor Proxy Service Configuration tor replace_country command injection
Title source: cnaDescription
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function replace_country in the library /usr/lib/oui-httpd/rpc/tor of the component Tor Proxy Service Configuration Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 4.7 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-370832 | GL.iNet GL-MT3000 Tor Proxy Service Configuration tor replace_country command injection
https://vuldb.com/vuln/370832
Signature, Permissions Required signature
permissions-required
VDB-370832 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/370832/cti
Third Party Advisory third-party-advisory
CVE-2026-12186 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-12186
Third Party Advisory third-party-advisory
Submit #815579 | GL.iNet GL-MT3000 mt3000-4.4.5 Command Injection
https://vuldb.com/submit/815579
Scores
CVSS v3
8.8
EPSS
0.0202
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
CWE-77
Status
published
Products (7)
GL.iNet/GL-MT3000
4.4.0
GL.iNet/GL-MT3000
4.4.1
GL.iNet/GL-MT3000
4.4.2
GL.iNet/GL-MT3000
4.4.3
GL.iNet/GL-MT3000
4.4.4
GL.iNet/GL-MT3000
4.4.5
GL.iNet/GL-MT3000
4.7
Published
Jun 14, 2026
Tracked Since
Jun 15, 2026