CVE-2026-41926 CRITICAL

CVE-2026-41926: WDR201A WiFi Extender OS Command Injection via firewall.cgi

Vendor Shenzhen Yipu Commercial And Trading Co., Ltd
Product WDR201A WiFi Extender
Weakness CWE-78
Published May 4, 2026
Last update May 18, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.

Key dates

02Disclosure timeline

May 4, 2026 CVE published
May 18, 2026 Record updated