CVE-2026-26461
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in Aver PTC320UV2 Web Interface

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: MITRE

Description
A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26461
EUVD
EUVD-2026-26701
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aver ptc320uv2 0.1.0000.65
aver ptc320uv2 From 0.1.0000.72 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Command Injection vulnerability in Aver PTC320UV2 impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-26461 is a Command Injection vulnerability found in the web management interface of the Aver PTC320UV2 device running firmware version 0.1.0000.65.

This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the device by sending a specially crafted web request to the /action?Get=acc path.

The root cause is that the 'Get' parameter from the web request is directly passed to a shell command in the script /mnt/sky/webui/opt_GetData.sh without proper input sanitization, enabling command injection via shell control characters like semicolons (;).

Impact Analysis

This vulnerability can have serious impacts because it allows an unauthenticated attacker to execute arbitrary commands on the affected device.

Such command execution could lead to unauthorized control over the device, potentially allowing the attacker to manipulate device settings, disrupt services, access sensitive information, or use the device as a foothold for further attacks within a network.

Detection Guidance

This vulnerability can be detected by monitoring or testing the web management interface of the Aver PTC320UV2 device for command injection attempts. Specifically, crafted web requests targeting the /action?Get=acc path with shell control characters such as a semicolon (;) can be used to test if arbitrary commands are executed.

A possible detection method is to send a crafted HTTP request to the device's web interface and observe the response or behavior. For example, using curl or similar tools to send a request like:

  • curl "http://<device-ip>/action?Get=acc;id"

If the device executes the injected command (e.g., 'id'), it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to update the firmware of the affected Aver PTC320UV2 device to version 0.1.0000.72 or later, which addresses security vulnerabilities including this command injection flaw.

Additionally, restricting access to the web management interface by network segmentation or firewall rules to allow only trusted users can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart