CVE-2026-36356

CRITICAL

MeiG Smart FORGE_SLT711 MDM9607.LE.1.0-00110 - Command Injection

Title source: llm

Description

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Exploits (1)

nomisec FAILED

by totekuh · poc

https://github.com/totekuh/CVE-2026-36356

View Code ZIP pw:eip

References (3)

Core 3

Core References

http://forgeslt711.com

http://meig.com

https://github.com/totekuh/CVE-2026-36356

View Exploit ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0047

EPSS Percentile 64.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-78

Status published

Published May 05, 2026

Tracked Since May 05, 2026