CVE-2026-26791
Received Received - Intake
Command Injection in GL-iNet GL-AR300M16 Enables Remote Code Execution

Publication date: 2026-03-12

Last updated on: 2026-03-16

Assigner: MITRE

Description
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26791
EUVD
EUVD-2026-11621
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gl-inet ar300m16_firmware 4.3.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26791 is a command injection vulnerability found in the GL-iNet GL-AR300M16 router firmware version 4.3.11. The issue exists in the function called enable_echo_server, which processes a parameter named port without proper sanitization or validation.'}, {'type': 'paragraph', 'content': 'Because the port parameter is directly embedded into system commands and executed, an attacker can craft malicious input that injects arbitrary shell commands. This allows the attacker to execute any command on the device with elevated privileges.'}, {'type': 'paragraph', 'content': "Exploitation involves sending a specially crafted HTTP JSON-RPC request to the router's RPC endpoint, including a malicious port parameter that contains shell commands. For example, an attacker can write arbitrary data to files on the device, demonstrating full command execution capability."}] [1]

Impact Analysis

This vulnerability allows attackers with network access and valid admin tokens to remotely execute arbitrary commands on the affected router.

Such command execution can lead to complete compromise of the device, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, or using the device as a foothold to attack other network resources.

Because the attacker can run commands with elevated privileges, the impact is critical and can severely affect the security and integrity of your network environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a crafted HTTP JSON-RPC POST request to the router's RPC endpoint that attempts to exploit the command injection via the port parameter in the enable_echo_server function."}, {'type': 'paragraph', 'content': 'An example detection method involves using a script or command to send a POST request to http://<router-ip>/rpc with a JSON payload calling enable_echo_server and injecting a harmless command such as writing a test string to a file.'}, {'type': 'list_item', 'content': 'Use curl or a similar tool to send a POST request with a JSON payload like: {"method":"enable_echo_server","params":["7 $(echo test123 >/www/test.txt)"]}'}, {'type': 'list_item', 'content': 'Check the device filesystem for the presence of the test file (e.g., /www/test.txt) containing the injected string to confirm vulnerability.'}, {'type': 'list_item', 'content': 'Alternatively, use a Python script with the requests library to automate sending the crafted request and analyze the HTTP response for signs of successful command execution.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26791. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart