CVE-2026-41926
published 2026-05-04CVE-2026-41926: WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers…
PriorityP264critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.23%
65.3th percentile
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shenzhen_yipu_commercial_and_trading_co_ltd | wdr201a_wifi_extender | <= 1.02.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shenzhen Yipu WDR201A WiFi Extender up to 1.02 os command injection (EUVD-2026-27125)
vuldb·2026-05-04·CVSS 9.3
CVE-2026-41926 [CRITICAL] Shenzhen Yipu WDR201A WiFi Extender up to 1.02 os command injection (EUVD-2026-27125)
A vulnerability classified as critical was found in Shenzhen Yipu WDR201A WiFi Extender up to 1.02. This issue affects some unknown processing. Such manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-41926. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-r939-4h6w-w7j6: WDR201A WiFi Extender (HW V2
ghsa_unreviewed·2026-05-04
CVE-2026-41926 [CRITICAL] CWE-78 GHSA-r939-4h6w-w7j6: WDR201A WiFi Extender (HW V2
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.htmlhttps://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20Chinahttps://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi
2026-05-04
Published