CVE-2026-4497 PUBLISHED

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

• junqi (VulDB User) reporter

• VDB-352046 | Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection
• VDB-352046 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #773875 | Totolink WA300 V5.2cu.7112_B20190227 OS Command Injection
• https://github.com/hellonestor/killallbug/issues/1
• https://github.com/user-attachments/files/25790616/Unauthenticated.Remote.Code.Execution.in.TOTOLINK.WA300.via.Command.Injection.in.recvUpgradeNewFw.zip
• https://www.totolink.net/

• OS Command Injection CWE
• Command Injection CWE