CVE-2026-4611

CWE-77 — Command Injection CWE-78 — OS Command Injection CWE-9115 documents5 sources

Severity

8.6HIGH

EPSS

1.3%

top 20.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Totolink X6000r Totolink X6000r Firmware

Timeline

PublishedMar 23

Latest updateMar 24

Description

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5totolink/x6000r9.4.0cu.1360_B20241207, 9.4.0cu.1498_B20250826+1

▶NVDtotolink/x6000r_firmware9.4.0cu.1360_b20241207, 9.4.0cu.1498_b20250826+1

🔴Vulnerability Details

GHSA

GHSA-56rf-g9gc-682p: A flaw has been found in TOTOLINK X6000R 9↗2026-03-24

▶

CVEList

TOTOLINK X6000R shttpd setLanCfg privilege escalation↗2026-03-23

▶