CVE-2026-41924
published 2026-05-04CVE-2026-41924: WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated…
PriorityP270critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
2.71%
84.1th percentile
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_yipu_commercial_and_trading_co_ltd | wdr201a_wifi_extender | <= 1.02.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Yipu WDR201A WiFi Extender up to 1.02 POST Request makeRequest.cgi set_time/StartSniffer os command injection (EUVD-2026-27121)
vuldb·2026-05-04·CVSS 9.3
CVE-2026-41924 [CRITICAL] Yipu WDR201A WiFi Extender up to 1.02 POST Request makeRequest.cgi set_time/StartSniffer os command injection (EUVD-2026-27121)
A vulnerability, which was classified as critical, was found in Yipu WDR201A WiFi Extender up to 1.02. Affected by this vulnerability is the function set_time/StartSniffer of the file makeRequest.cgi of the component POST Request Handler. The manipulation results in os command injection.
This vulnerability is known as CVE-2026-41924. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-fchj-4xr4-27f8: WDR201A WiFi Extender (HW V2
ghsa_unreviewed·2026-05-04
CVE-2026-41924 [CRITICAL] CWE-78 GHSA-fchj-4xr4-27f8: WDR201A WiFi Extender (HW V2
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.htmlhttps://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20Chinahttps://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi
2026-05-04
Published