Skip to main content

Ar300m16 Firmware CVE-2026-26794

HIGH
SQL Injection (CWE-89)
2026-03-12 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 19:57 vuln.today
CVE Published
Mar 12, 2026 - 18:16 nvd
HIGH 8.8

DescriptionCVE.org

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a SQL injection vulnerability via the add_group() function. This vulnerability allows attackers to execute arbitrary SQL database operations via a crafted HTTP request.

AnalysisAI

SQL injection in GL-iNet GL-AR300M16 firmware v4.3.11 allows authenticated attackers to execute arbitrary database commands through the add_group() function via crafted HTTP requests. The vulnerability affects all installations of the affected firmware version and requires valid credentials to exploit. No patch is currently available to remediate this high-severity flaw.

Technical ContextAI

The GL-AR300M16 is a compact travel router running OpenWrt-based firmware, commonly used in small office and travel scenarios for creating secure network connections. The vulnerability manifests as a classic SQL injection (CWE-89) where user-supplied input in the add_group() function is not properly sanitized before being incorporated into SQL queries, allowing attackers to inject malicious SQL statements. This type of vulnerability typically occurs when dynamic SQL queries are constructed using string concatenation without proper input validation or parameterized queries, enabling attackers to manipulate the underlying database structure and data.

RemediationAI

The primary remediation is to update the GL-AR300M16 firmware to a version newer than 4.3.11 once GL-iNet releases a security patch addressing this SQL injection vulnerability. Until an official patch is available, organizations should implement compensating controls including restricting administrative access to trusted IP addresses only, enabling strong authentication mechanisms, monitoring for suspicious database queries or unauthorized group creation attempts, and considering placing affected devices behind additional security controls such as web application firewalls that can filter SQL injection attempts.

CVE-2024-39227 CRITICAL POC
9.8 Aug 06

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/

CVE-2024-39228 CRITICAL POC
9.8 Aug 06

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/

CVE-2024-39226 CRITICAL POC
9.8 Aug 06

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/

CVE-2024-39225 CRITICAL POC
9.8 Aug 06

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/

CVE-2024-45262 HIGH POC
8.8 Oct 24

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated h

CVE-2024-45261 HIGH POC
8.0 Oct 24

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated h

CVE-2024-45260 HIGH POC
8.0 Oct 24

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated h

CVE-2024-27356 HIGH POC
7.5 Feb 27

An issue was discovered on certain GL-iNet devices. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2024-45259 MEDIUM POC
6.5 Oct 24

An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Rated m

CVE-2026-26793 CRITICAL
9.8 Mar 12

GL-iNet GL-AR300M16 v4.3.11 has a command injection in the set_config function, adding to the growing list of injection

CVE-2026-26795 CRITICAL
9.8 Mar 12

GL-iNet GL-AR300M16 v4.3.11 contains another command injection vulnerability, this time via the module parameter in the

CVE-2026-26792 CRITICAL
9.8 Mar 12

GL-iNet GL-AR300M16 v4.3.11 has multiple command injection vulnerabilities in the set_upgrade function through seven dif

Share

CVE-2026-26794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy