Skip to main content

Hi Led Wr120 G2 EUVDEUVD-2026-19095

| CVE-2026-5573 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-05 VulDB GHSA-mfwc-7h58-p642
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 05, 2026 - 15:00 euvd
EUVD-2026-19095
Analysis Generated
Apr 05, 2026 - 15:00 vuln.today
CVE Published
Apr 05, 2026 - 14:30 nvd
MEDIUM 6.9

DescriptionCVE.org

A weakness has been identified in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This impacts an unknown function of the file /fs. Executing a manipulation of the argument cwd can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

Technical ContextAI

The vulnerability stems from improper input validation on the cwd (current working directory) parameter in the /fs file system endpoint of the Technostrobe HI-LED-WR120-G2 web interface. This is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating the application fails to adequately restrict file upload operations or validate upload destination paths. The firmware device is a networked LED controller, and this endpoint likely handles firmware updates or configuration file uploads without sufficient path canonicalization or access control. The attack vector is network-based with low complexity and no user interaction required, making exploitation straightforward for remote attackers.

RemediationAI

No vendor-released patch has been identified at time of analysis. The vendor's non-responsiveness to early disclosure indicates remediation will likely require device replacement or manual firmware isolation. Immediate mitigation steps include: restrict network access to affected devices by implementing network segmentation and firewall rules to block inbound access to the web interface on port 80/443, disable remote management features if available, and monitor for suspicious file uploads or firmware modifications. Organizations should contact Technostrobe directly to request security updates or end-of-life guidance. Until patched versions are available, deploy affected devices only in isolated or trusted network environments with strong network-level access controls. Upgrade to alternative vendor solutions if available, as the vendor's non-response suggests limited security commitment.

Share

EUVD-2026-19095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy