CVE-2026-0404
HIGH WAF: Medium
CVSS 8.0
Published: 2026-01-13
CWE-20
An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| netgear | rbr750_firmware | up to 7.2.8.5 |
| netgear | rbr840_firmware | up to 7.2.8.5 |
| netgear | rbr850_firmware | up to 7.2.8.5 |
| netgear | rbr860_firmware | up to 7.2.8.5 |
| netgear | rbs750_firmware | up to 7.2.8.5 |
| netgear | rbs840_firmware | up to 7.2.8.5 |
| netgear | rbs850_firmware | up to 7.2.8.5 |
| netgear | rbs860_firmware | up to 7.2.8.5 |
| netgear | rbre950_firmware | up to 7.2.8.5 |
| netgear | rbre960_firmware | up to 7.2.8.5 |
References
- kb.netgear.com (Patch, Vendor Advisory)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)
- www.netgear.com (Patch, Product)