{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6156", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-12T18:06:05.971Z", "datePublished": "2026-04-13T03:30:21.041Z", "dateUpdated": "2026-04-13T19:14:15.425Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T03:30:21.041Z"}, "title": "Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "Totolink", "product": "A7100RU", "versions": [{"version": "7.4cu.2313_b20191024", "status": "affected"}], "cpes": ["cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*"], "modules": ["CGI Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "CRITICAL"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "CRITICAL"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-12T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-12T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-12T20:11:25.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LtzHust2 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/357036", "name": "VDB-357036 | Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357036/cti", "name": "VDB-357036 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793681", "name": "Submit #793681 | Totolink A7100RU 7.4cu.2313_b20191024 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T19:14:05.303781Z", "id": "CVE-2026-6156", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:14:15.425Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6156", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T19:14:05.303781Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:14:12.128Z"}}], "cna": {"title": "Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "LtzHust2 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*"], "vendor": "Totolink", "modules": ["CGI Handler"], "product": "A7100RU", "versions": [{"status": "affected", "version": "7.4cu.2313_b20191024"}]}], "timeline": [{"lang": "en", "time": "2026-04-12T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-12T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-12T20:11:25.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/357036", "name": "VDB-357036 | Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357036/cti", "name": "VDB-357036 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793681", "name": "Submit #793681 | Totolink A7100RU 7.4cu.2313_b20191024 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T03:30:21.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6156", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:14:15.425Z", "dateReserved": "2026-04-12T18:06:05.971Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-13T03:30:21.041Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-6156", "lastModified": "2026-04-27T19:05:57.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T04:16:15.450", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793681"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357036"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357036/cti"}, {"source": "cna@vuldb.com", "url": "https://www.totolink.net/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4cu.2313_b20191024"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "A7100RU", "source": "cna", "vendor": "Totolink"}, "product": "a7100ru", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-13T05:51:27.245022+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware upgrade from Totolink that includes a patch for the cstecgi.cgi issue.", "If a firmware update is not immediately available, block external access to the /cgi-bin/cstecgi.cgi endpoint using firewall rules or disable remote management features entirely.", "Implement monitoring of web access logs for requests to the cstecgi.cgi endpoint and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected devices are Totolink A7100RU routers supplied with the specified firmware build. No other vendors or product lines are mentioned in the advisory, and the issue is limited to the CGI handler component of the router firmware.", "description_and_impact": "The vulnerability resides in the setIpQosRules function of the cstecgi.cgi CGI script on Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. An attacker can manipulate the Comment parameter to inject arbitrary operating\u2011system commands, resulting in remote code execution. This flaw corresponds to the OS Command Injection weaknesses identified as CWE\u201177 and CWE\u201178.", "risk_and_exploitability": "The CVSS base score of 9.3 reflects critical severity. The EPSS score is unavailable. The CISA KEV catalog does not list this entry, indicating no known exploitation at the time of disclosure. The likely attack vector is remote exposure of the CGI endpoint via the router's web interface or other network paths that allow HTTP requests. Successful exploitation would give an attacker administrative control over the router, compromising network traffic confidentiality, integrity, and availability."}}}}, "created": "2026-04-13T12:37:46.439424+00:00", "updated": "2026-04-13T12:53:33.662064+00:00", "vendors": ["totolink", "totolink$PRODUCT$a7100ru"]}