CVE-2026-5679 MEDIUM

CVE-2026-5679: Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection

Vendor Totolink

Product A3300R

Weakness CWE-78

Published April 6, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Adjacent

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5679 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

04Related CVE

CVE-2026-6113 Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection CVE-2026-7642 pskill9 website-downloader MCP index.ts download_website os command injection CVE-2023-50216 D-Link G416 awsfile tar File Handling Command Injection Remote Code Execution Vulnerability CVE-2026-21837 HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API CVE-2021-0219 Junos OS: Command injection vulnerability in 'request system software' CLI command