CVE-2026-4497CRITICAL 9.8EPSS p77.1%

CVE-2026-4497CVE-2026-4497

Description

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.91% probability of exploitation · percentile 77.1% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-04-29

Underlying weaknesses· 2

CWE-77CWE-78

References

  1. https://github.com/hellonestor/killallbug/issues/1
  2. https://github.com/user-attachments/files/25790616/Unauthenticated.Remote.Code.Execution.in.TOTOLINK.WA300.via.Command.Injection.in.recvUpgradeNewFw.zip
  3. https://vuldb.com/?ctiid.352046
  4. https://vuldb.com/?id.352046
  5. https://vuldb.com/?submit.773875
  6. https://www.totolink.net/

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-2167
CVE
CVE-2026-3696
CVE
CVE-2026-9387
CVE
CVE-2026-0641
CVE
CVE-2026-9457
CVE
CVE-2026-7717
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.