Skip to main content

Thingino Firmware

1 CVEs product

Monthly

CVE-2026-26213 HIGH This Week

Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.

RCE Command Injection Thingino Firmware
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
EPSS 0% CVSS 8.7
HIGH This Week

Unauthenticated remote code execution as root is possible in thingino-firmware through the WiFi captive portal CGI script due to command injection in query and POST parameter parsing. Attackers on the adjacent network (AV:A) can inject arbitrary commands through unsanitized HTTP parameter names, enabling full device takeover including root password reset and SSH key manipulation for persistent access. No public exploit is identified at time of analysis, though VulnCheck has published an advisory detailing the vulnerability mechanics.

RCE Command Injection Thingino Firmware
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy