CVE-2026-41923
Deferred Deferred - Pending Action
OS Command Injection in WDR201A WiFi Extender

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: VulnCheck

Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41923
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) within the internet.cgi binary. It is an OS command injection flaw that allows unauthenticated remote attackers to execute arbitrary shell commands. This is possible because the gateway POST parameter is not properly sanitized before being concatenated in the set_add_routing function. The injected commands are executed via the popen() function, and part of the output is reflected back in the HTTP response.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated remote attackers to execute arbitrary shell commands on the affected device. This could lead to full compromise of the device, unauthorized access to network resources, data theft, disruption of network services, or using the device as a foothold for further attacks within the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41923. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart