cbcvebase.
CVE-2022-40619
published 2026-01-28

CVE-2022-40619: FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This…

high7.7CVSS 3.1
AVNACHPRNUINSUCHIHAL
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.

Affected

10 ranges
VendorProductVersion rangeFixed in
netgearr6230_firmware< 1.1.0.1121.1.0.112
netgearr6260_firmware< 1.1.0.881.1.0.88
netgearr7000_firmware< 1.0.11.1341.0.11.134
netgearr8900_firmware< 1.0.5.421.0.5.42
netgearr9000_firmware< 1.0.5.421.0.5.42
netgearrax120_firmware< 1.2.8.401.2.8.40
netgearrax120v2_firmware< 1.2.8.401.2.8.40
netgearrbr20_firmware< 2.7.2.262.7.2.26
netgearrbs20_firmware< 2.7.2.262.7.2.26
netgearxr300_firmware< 1.0.3.721.0.3.72

CVSS provenance

nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
vulncheck7.7HIGH