CVE-2026-27847

CVE-2026-27847: Missing authentication in Linksys MR9600, Linksys MX4200

Vendor Linksys
Product MR9600
Weakness CWE-89 · SQLi
Published February 25, 2026
Last update February 26, 2026

CVSS base score

What the vulnerability does

01Description

Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 26, 2026 Record updated