CVE-2026-26213
published 2026-03-26CVE-2026-26213: thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.24%
92.7th percentile
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themactep | thingino-firmware | <= firmware-2026-03-16 | — |
| thingino | thingino_firmware | <= 2026-03-15 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
themactep thingino-firmware up to firmware-2026-03-16 Password Reset parse_query/parse_post os command injection
vuldb·2026-06-04·CVSS 8.7
CVE-2026-26213 [HIGH] themactep thingino-firmware up to firmware-2026-03-16 Password Reset parse_query/parse_post os command injection
A vulnerability classified as critical has been found in themactep thingino-firmware up to firmware-2026-03-16. This issue affects the function parse_query/parse_post of the component Password Reset Handler. Performing a manipulation results in os command injection.
This vulnerability is cataloged as CVE-2026-26213. The attack must originate from the local network. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
GHSA-h56g-w4h5-4239: thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive po
ghsa_unreviewed·2026-03-26
CVE-2026-26213 [HIGH] CWE-78 GHSA-h56g-w4h5-4239: thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive po
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-26
Published