CVE-2026-26213

CRITICAL

thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal

Title source: cna

Description

thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.

References (2)

Core 2

Core References

Product product

https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal

Scores

CVSS v3 9.8

EPSS 0.0624

EPSS Percentile 92.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

themactep/thingino-firmware < firmware-2026-03-16

thingino/thingino_firmware < 2026-03-15

Published Mar 26, 2026

Tracked Since Mar 27, 2026