CVE-2026-1149

CWE-74CWE-77Command Injection6 documents6 sources
Severity
5.3MEDIUM
EPSS
2.1%
top 15.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Totolink Lr350Totolink Lr350 Firmware
Timeline
PublishedJan 19
Latest updateMar 18

Description

A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5totolink/lr3509.3.5u.6369_B20220309
NVDtotolink/lr350_firmware9.3.5u.6369_b20220309

🔴Vulnerability Details

3
OSV
f2fs: fix to do sanity check on node footer in {read,write}_end_io2026-03-18
CVEList
Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection2026-01-19
GHSA
GHSA-m898-gr28-h7qx: A vulnerability was identified in Totolink LR350 92026-01-19

📋Vendor Advisories

1
Red Hat
kernel: f2fs: fix to do sanity check on node footer in {read,write}_end_io2026-03-18
CVE-2026-1149 (MEDIUM CVSS 5.3) | A vulnerability was identified in T | cvebase.io