{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26793", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-12T19:14:06.654Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-12T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-12T18:40:03.858Z"}, "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted input."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/set_config"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T19:13:33.624963Z", "id": "CVE-2026-26793", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:14:06.654Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26793", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T19:13:33.624963Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T19:12:29.954Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/set_config"}], "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted input."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-12T18:40:03.858Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26793", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:14:06.654Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-12T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "FD9AA29E-C1C0-4F18-AB85-DA8285B74EE3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA3E349B-C40F-4DE6-B977-CF677B2F9814", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted input."}, {"lang": "es", "value": "GL-iNet GL-AR300M16 v4.3.11 se descubri\u00f3 que conten\u00eda una vulnerabilidad de inyecci\u00f3n de comandos a trav\u00e9s de la funci\u00f3n set_config. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios a trav\u00e9s de una entrada manipulada."}], "id": "CVE-2026-26793", "lastModified": "2026-03-13T16:02:22.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T19:16:16.073", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/set_config"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.11"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "gl-ar300m16", "vendor": "gl-inet"}], "analysis": {"en": {"generated_at": "2026-03-18T15:00:31.556282+00:00", "value": {"mitigation_remediation": ["Check GL-iNet for an updated firmware release that addresses the command injection in set_config.", "If no patch is available, disable or restrict access to the set_config endpoint through firewall rules or network segmentation.", "Monitor device logs for unexpected command execution attempts and apply additional intrusion detection if possible."], "summary": {"action": "Patch ASAP", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is GL-iNet GL-AR300M16 with firmware 4.3.11. No other version information is provided, but the CPE data references that exact firmware revision.", "description_and_impact": "GL-iNet GL-AR300M16 firmware version 4.3.11 contains a command injection flaw in the set_config function. An attacker who can supply a specially crafted request can execute arbitrary system commands, giving them full control over the device. The vulnerability exposes the confidentiality, integrity, and availability of the device and any networks it connects to.", "risk_and_exploitability": "The CVSS score is 9.8, indicating critical severity. The EPSS score is below 1%, suggesting current exploit activity is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the device\u2019s HTTP API that exposes the set_config function, although the description does not explicitly state the transport. Given the high impact, even a low probability exploit warrants immediate attention."}}}}, "created": "2026-03-13T09:53:52.220572+00:00", "updated": "2026-03-20T15:36:27.743409+00:00", "vendors": ["gl-inet", "gl-inet$PRODUCT$gl-ar300m16"]}