CVE-2026-41923
published 2026-05-04CVE-2026-41923: WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated…
PriorityP270critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
2.61%
83.5th percentile
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_yipu_commercial_and_trading_co_ltd | wdr201a_wifi_extender | <= 1.02.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shenzhen Yipu WDR201A WiFi Extender up to 1.02 POST Parameter internet.cgi popen gateway os command injection (EUVD-2026-27120)
vuldb·2026-05-04·CVSS 9.3
CVE-2026-41923 [CRITICAL] Shenzhen Yipu WDR201A WiFi Extender up to 1.02 POST Parameter internet.cgi popen gateway os command injection (EUVD-2026-27120)
A vulnerability was found in Shenzhen Yipu WDR201A WiFi Extender up to 1.02. It has been declared as critical. The impacted element is the function popen of the file internet.cgi of the component POST Parameter Handler. The manipulation of the argument gateway results in os command injection.
This vulnerability was named CVE-2026-41923. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-2frf-w2p8-6vq5: WDR201A WiFi Extender (HW V2
ghsa_unreviewed·2026-05-04
CVE-2026-41923 [CRITICAL] CWE-78 GHSA-2frf-w2p8-6vq5: WDR201A WiFi Extender (HW V2
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.htmlhttps://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20Chinahttps://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi
2026-05-04
Published