LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-26791

CVE-2026-26791 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 13, 2026

GL-iNet GL-AR300M16 - Command Injection

Published: March 12, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable

Overview

GL-iNet GL-AR300M16 v4.3.11 contains a command injection caused by improper sanitization of the string port parameter in the enable_echo_server function, letting attackers execute arbitrary commands remotely, exploit requires crafted input.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 17.1%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.

Mitigation

Update to the latest version that patches this vulnerability.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-26791 - Critical (9.8) GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-26791/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-26791 - Critical (9.8) GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-26791/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-26791 - Critical (9.8) GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-26791/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 13, 2026

šŸ”“ CVE-2026-26791 - Critical (9.8) GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-26791/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-26791
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
confirmed
EPSS
17.1%
Social Posts
4

CWE

  • CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

17.1%Probability of exploitation in the next 30 days