CVE-2026-27848

CVE-2026-27848: Missing neutralization in Linksys MR9600, Linksys MX4200

Vendor Linksys
Product MR9600
Weakness CWE-78
Published February 25, 2026
Last update February 26, 2026

CVSS base score

What the vulnerability does

01Description

Due to missing neutralization of special elements, OS commands can be injected via the handshake of a TLS-SRP connection, which are ultimately run as the root user. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 26, 2026 Record updated