Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. The impacted element is the function find_host_ip of the component lighttpd. Such manipulation of the argument Host leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Stack-based buffer overflow in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows remote unauthenticated attackers to execute arbitrary code or crash the device by sending malicious HTTP Host headers to the lighttpd web server. The vulnerability has publicly available exploit code (CVSS E:P) but is not currently listed in CISA KEV. EPSS data unavailable, but the combination of remote unauthenticated attack vector (AV:N/PR:N), low complexity (AC:L), and confirmed POC suggests elevated real-world risk for internet-facing devices running this specific firmware version.
Technical ContextAI
The vulnerability resides in the find_host_ip function within the lighttpd web server component integrated into Totolink NR1800X router firmware. Lighttpd is a lightweight HTTP server commonly embedded in IoT devices and routers. The flaw is a classic stack-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) triggered by insufficient input validation when processing the HTTP Host header. When an oversized or specially crafted Host header is sent to the web server, the find_host_ip function copies data into a fixed-size stack buffer without proper bounds checking, overwriting adjacent memory structures. This enables control of the instruction pointer and arbitrary code execution within the lighttpd process context, which typically runs with elevated privileges on embedded router platforms.
RemediationAI
No vendor-released patch or updated firmware version has been identified in available references at time of analysis. Users should monitor Totolink's official website at totolink.net and their product support pages for security advisories and firmware updates addressing CVE-2026-7546. Until a patch is released, implement the following compensating controls: disable remote administration access to the router's web interface from the WAN side (typically found under Administration or Remote Management settings), restricting access to LAN-only which prevents internet-based exploitation. Change the default HTTP/HTTPS management ports to non-standard values to reduce automated scanning visibility. Implement network segmentation to isolate the router's management interface from untrusted network segments. Deploy intrusion detection signatures to detect HTTP requests with anomalously long Host headers (greater than 256 bytes) targeting the device. Note that disabling web-based management entirely eliminates the attack surface but requires alternative configuration methods via SSH or serial console. Consider replacing the device with alternative hardware if Totolink does not release timely security updates.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26473