{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26794", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-14T03:28:33.618Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-12T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-12T18:09:37.700Z"}, "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/acl--add_group"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-14T03:27:50.306582Z", "id": "CVE-2026-26794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:28:33.618Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-14T03:27:50.306582Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-14T03:28:22.887Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/acl--add_group"}], "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-12T18:09:37.700Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26794", "state": "PUBLISHED", "dateUpdated": "2026-03-14T03:28:33.618Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-12T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*", "matchCriteriaId": "FD9AA29E-C1C0-4F18-AB85-DA8285B74EE3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA3E349B-C40F-4DE6-B977-CF677B2F9814", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request."}, {"lang": "es", "value": "GL-iNet GL-AR300M16 v4.3.11 se descubri\u00f3 que conten\u00eda una vulnerabilidad de inyecci\u00f3n SQL a trav\u00e9s de la funci\u00f3n add_group(). Esta vulnerabilidad permite a los atacantes ejecutar operaciones arbitrarias en la base de datos SQL a trav\u00e9s de una solicitud HTTP manipulada."}], "id": "CVE-2026-26794", "lastModified": "2026-03-16T14:18:27.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-12T18:16:22.940", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/acl--add_group"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.3.11"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "gl-ar300m16", "vendor": "gl-inet"}], "analysis": {"en": {"generated_at": "2026-03-18T15:00:12.703063+00:00", "value": {"mitigation_remediation": ["Apply an updated firmware version that addresses the add_group() SQL injection flaw if available from GL\u2011iNet.", "If a patch is not yet released, restrict external access to the device by placing it behind a firewall or configuring access\u2011control lists to block untrusted networks from reaching the web interface or the add_group() endpoint.", "Disable or remove the add_group() functionality if possible, or enable input validation to guard against malformed requests.", "Monitor device logs for unusual SQL activity or failed authentication attempts to detect potential exploitation.", "Ensure overlay network segmentation so that the router\u2019s administrative interface is isolated from general user traffic."], "summary": {"action": "Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected product: GL\u2011iNet GL\u2011AR300M16 router with firmware version 4.3.11. The vulnerability exists in the device firmware component identified by the CPE cpe:2.3:o:gl\u2011inet:ar300m16_firmware:4.3.11. No other version variants are listed.", "description_and_impact": "The GL-iNet GL-AR300M16 firmware 4.3.11 contains a SQL injection vulnerability in the add_group() function that allows an attacker to execute arbitrary SQL database operations via a crafted HTTP request. This defect can lead to unauthorized read, modification, or deletion of database contents, thereby compromising confidentiality and integrity of the device\u2019s configuration and stored data. The vulnerability is classified as CWE\u201189 according to the vendor description.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity of the flaw. EPSS indicates an exploitation probability of less than 1\u00a0%. It is not listed in the CISA KEV catalog. The CVE description does not specify an exact attack vector, but the flaw is triggered by a malicious HTTP request to the device, implying a remote, web\u2011based exploitation scenario that could be executed from an adjacent network or over the internet if the router is publicly reachable. Although the low EPSS suggests limited current exploitation, the high CVSS warrants timely remediation."}}}}, "created": "2026-03-13T09:53:48.642106+00:00", "title": "SQL Injection in GL\u2011iNet GL\u2011AR300M16 Firmware 4.3.11 via add_group()", "updated": "2026-03-20T15:36:26.776218+00:00", "vendors": ["gl-inet", "gl-inet$PRODUCT$gl-ar300m16"]}