Skip to main content

A7100Ru EUVDEUVD-2026-19462

| CVE-2026-5678 MEDIUM
OS Command Injection (CWE-78)
2026-04-06 VulDB GHSA-h49p-xq2j-gmrw
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 19:00 euvd
EUVD-2026-19462
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
CVE Published
Apr 06, 2026 - 18:45 nvd
MEDIUM 6.9

DescriptionCVE.org

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument mode can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

OS command injection in Totolink A7100RU firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary commands via manipulation of the mode parameter in the setScheduleCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists for this vulnerability, creating immediate risk for exposed devices.

Technical ContextAI

The vulnerability stems from insufficient input validation in a CGI script (cstecgi.cgi) that handles schedule configuration on the Totolink A7100RU wireless router. The setScheduleCfg function fails to properly sanitize the mode parameter before passing it to an OS command execution context, enabling command injection (CWE-78). The attack vector is network-accessible, targeting the web-based management interface of the device. Affected devices are identified by CPE cpe:2.3:a:totolink:a7100ru with firmware version 7.4cu.2313_b20191024 and potentially other versions in the A7100RU product line.

RemediationAI

Contact Totolink support and consult https://www.totolink.net/ for the latest firmware release that patches this vulnerability; no specific fixed version number is provided in the available advisory data. Interim mitigation prior to patching includes restricting network access to the router's web management interface (port 80/443) using firewall rules, disabling remote management features if not required, and isolating the device to trusted networks only. Change default credentials immediately if not already done. Monitor for unauthorized command execution by reviewing router logs for suspicious cgi-bin requests or mode parameters in the schedule configuration endpoint.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

EUVD-2026-19462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy