CVE-2026-5176
CRITICAL WAF: High
CVSS 9.8
Published: 2026-03-31
CWE-77
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
WAF Coverage Analysis
Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| totolink | a3300r_firmware | 17.0.0cu.557_b20221024 |
References
- github.com (Exploit, Third Party Advisory)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Third Party Advisory, VDB Entry)
- vuldb.com (Permissions Required, VDB Entry)
- www.totolink.net (Product)