Cyber Posture

CVE-2026-26795

CriticalPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0107 77.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of input sanitization in the module parameter of M.get_system_log, preventing command injection by validating all user-supplied inputs.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific command injection flaw in GL-iNet firmware version 4.3.11 through patching or updates.

SI-9 Information Input Restrictions partial match
prevent

Restricts the module parameter to organization-defined safe values, blocking crafted inputs that enable arbitrary command execution.

Security SummaryAI

CVE-2026-26795 is a command injection vulnerability affecting the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The flaw exists in the M.get_system_log function, where the module parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands. This issue, classified under CWE-77 (Command Injection), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. By crafting malicious input for the module parameter, an attacker can execute arbitrary commands on the device, potentially leading to full system compromise, including data theft, modification of configurations, or further lateral movement within a network. The unchanged scope and high impacts on confidentiality, integrity, and availability underscore its risk to Internet-exposed IoT devices.

A proof-of-concept demonstrating the vulnerability is available in the GitHub repository at https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/logread--get_system_log. No vendor advisories or patches were referenced in the CVE details.

Details

CWE(s)
CWE-77

Affected Products

gl-inet
ar300m16 firmware
4.3.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote command injection via public-facing web interface on router enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References