CVE-2026-3040
Received Received - Intake
OS Command Injection in DrayTek Vigor 300B Web Interface

Publication date: 2026-02-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor confirms that "300B is EoL, and this is an authenticated vulnerability. We don't plan to fix it." This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3040
EUVD
EUVD-2026-7476
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
draytek vigor300b_firmware to 1.5.1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the DrayTek Vigor 300B device up to version 1.5.1.6, specifically in the Web Management Interface component. It affects the cgiGetFile function of the /cgi-bin/mainfunction.cgi/uploadlangs file. By manipulating the File argument, an attacker can perform OS command injection, potentially executing arbitrary commands on the device. The attack can be initiated remotely but requires authentication.

The vendor has confirmed that the 300B model is End of Life (EoL) and will not be fixed. The exploit is publicly available.

Impact Analysis

If exploited, this vulnerability could allow an authenticated attacker to execute arbitrary operating system commands on the affected device remotely. This could lead to unauthorized control over the device, potentially compromising its functionality, accessing sensitive information, or disrupting network operations.

However, the vulnerability requires authentication, which limits the attack surface to users who already have some level of access.

Since the device is no longer supported, no patches will be provided, increasing the risk if the device remains in use.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability affects DrayTek Vigor 300B devices up to version 1.5.1.6 and is an authenticated OS command injection vulnerability in the web management interface.

Since the vendor has confirmed that the 300B model is End of Life (EoL) and no fixes will be provided, immediate mitigation steps include:

  • Restrict access to the web management interface to trusted and secure networks only.
  • Ensure that only authorized and authenticated users can access the device management interface.
  • Consider isolating or removing the vulnerable device from critical network segments.
  • Monitor for any suspicious activity or exploitation attempts targeting the /cgi-bin/mainfunction.cgi/uploadlangs endpoint.
  • Plan to replace the affected device with a supported model that receives security updates.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart