Skip to main content

A7100Ru CVE-2026-6195

| EUVDEUVD-2026-22036 HIGH
OS Command Injection (CWE-78)
2026-04-13 VulDB GHSA-pjj5-xh8h-6xp3
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
PoC Detected
Apr 22, 2026 - 20:23 vuln.today
Public exploit code
Analysis Generated
Apr 15, 2026 - 12:31 vuln.today
Severity Changed
Apr 13, 2026 - 18:22 NVD
CRITICAL HIGH
CVSS changed
Apr 13, 2026 - 18:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 18:00 euvd
EUVD-2026-22036
Analysis Generated
Apr 13, 2026 - 18:00 vuln.today
CVE Published
Apr 13, 2026 - 17:30 nvd
HIGH 8.9

DescriptionCVE.org

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary operating system commands via the admpass parameter in the setPasswordCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (CVSS 8.9, EPSS 0.89% / 76th percentile, SSVC: POC/automatable/total impact). Not listed in CISA KEV; real-world exploitation status unconfirmed beyond POC publication.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler implementation in Totolink A7100RU consumer router firmware. The setPasswordCfg function processes the admpass parameter without proper input sanitization, allowing injection of shell metacharacters. This is a classic CWE-78 OS command injection flaw where user-controlled input is passed unsafely to system shell execution functions. The affected CPE (cpe:2.3:a:totolink:a7100ru) identifies this as an application-level vulnerability in embedded device firmware. CGI-based router management interfaces are common attack surfaces because they directly bridge web inputs to backend system commands, and legacy implementations often lack modern input validation frameworks.

RemediationAI

Immediately check Totolink A7100RU devices for firmware version 7.4cu.2313_b20191024 and consult the vendor website (https://www.totolink.net/) for updated firmware releases addressing CVE-2026-6195. No vendor-released patch version is independently confirmed in available data at time of analysis. If updated firmware is unavailable, implement network-level access controls to restrict CGI interface access to trusted management networks only, disable remote administration features, and place affected routers behind additional firewall layers. Consider replacing devices with actively supported models if the vendor has discontinued security updates for this 2019-era firmware branch. Monitor VulDB advisory (https://vuldb.com/vuln/357117) and NVD listing for patch availability updates.

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy