CVE-2026-1326

MediumPublic PoC

Published: 22 January 2026

Published

22 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0041 61.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…

The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-1326 by requiring timely flaw remediation through vendor patches for the command injection vulnerability in the Totolink router firmware.

SI-10 Information Input Validation good match

prevent

Prevents command injection by requiring validation of the untrusted Hostname argument in the setWanCfg POST request handler within /cgi-bin/cstecgi.cgi.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Addresses the publicly available exploit for CVE-2026-1326 by requiring dissemination and implementation of relevant security alerts and advisories.

Security SummaryAI

CVE-2026-1326 is a command injection vulnerability affecting the Totolink NR1800X router on firmware version 9.1.0u.6279_B20210910. The flaw exists in the setWanCfg function of the /cgi-bin/cstecgi.cgi file within the POST Request Handler component, where manipulation of the Hostname argument enables command injection. Published on 2026-01-22, it is associated with CWEs-74 and CWE-77.

The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity by an attacker possessing low privileges, without requiring user interaction. Successful exploitation allows the attacker to achieve limited impacts on confidentiality, integrity, and availability via injected commands.

VulDB advisories detail the issue and note that an exploit has been made publicly available, heightening the potential for attacks. The Totolink vendor website provides relevant resources, and security practitioners should consult these references for any available patches or mitigation steps.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

nr1800x firmware

9.1.0u.6279_b20210910

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection via public-facing router web CGI (setWanCfg/Hostname) directly enables exploitation of public-facing application (T1190) and network device command execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.342302
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.342302
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735787
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com