CVE-2026-27849

CVE-2026-27849: Missing neutralization in Linksys MR9600, Linksys MX4200

Vendor Linksys
Product MR9600
Weakness CWE-78
Published February 25, 2026
Last update February 26, 2026

CVSS base score

What the vulnerability does

01Description

Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 26, 2026 Record updated