CVE-2026-4611
EUVD-2026-1460323.03.2026, 22:16
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| totolink | x6000r_firmware | 9.4.0cu.1360_b20241207:cu.1360_b20241207 |
| totolink | x6000r_firmware | 9.4.0cu.1498_b20250826:cu.1498_b20250826 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.