CVE-2026-2167

MEDIUM

Totolink Wa300 Firmware - Command Injection

Title source: rule

Description

A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.

References (5)

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/master-abc/cve/issues/36

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.344869

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.344869

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.752063

[Product] https://www.totolink.net/

Scores

CVSS v3 6.3

EPSS 0.0216

EPSS Percentile 84.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-77 CWE-78

Status published

Affected Products (1)

totolink/wa300_firmware

Timeline

Published Feb 08, 2026

Tracked Since Feb 18, 2026