Is there a public PoC exploit available for CVE-2026-5103?

Yes, a public proof-of-concept exploit is available for CVE-2026-5103. Prioritise patching immediately. EPSS: 2.9%.

A3300R CVE-2026-5103

Q: What is the CVSS score of CVE-2026-5103?

CVE-2026-5103 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 2.9%.

EUVD-2026-17053 LOW

Command Injection (CWE-77)

2026-03-30 VulDB

GHSA-fxg3-w9hm-vf88

Command Injection A3300R

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Mar 30, 2026 - 15:42 vuln.today

Public exploit code

EUVD ID Assigned

Mar 30, 2026 - 01:45 euvd

EUVD-2026-17053

Analysis Generated

Mar 30, 2026 - 01:45 vuln.today

CVE Published

Mar 30, 2026 - 01:00 nvd

MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the enable parameter in the setUPnPCfg function at /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability has a CVSS score of 6.3 with confirmed proof-of-concept demonstrated on GitHub.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 6.3 (Medium) rating reflects attack vector of network-accessible, low attack complexity, and authentication requirement (PR:L), with impact limited to confidentiality, integrity, and availability at system level. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker (or one who has obtained valid router credentials through phishing or default password exploitation) sends a crafted HTTP request to /cgi-bin/cstecgi.cgi with a malicious command injected into the enable parameter-for example, enable=1;id; or enable=1$(whoami)-which executes arbitrary shell commands on the router with the privileges of the web server process. Public exploit code published on GitHub demonstrates this attack against the A3300R specifically, making the attack feasible for actors with basic networking knowledge. …
Remediation	Users should upgrade their Totolink A3300R firmware to the latest available release beyond 17.0.0cu.557_b20221024 as soon as available from Totolink. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5103 vulnerability details – vuln.today

Back