PatchSiren cyber security CVE debrief
CVE-2026-11451 GL.iNet CVE debrief
A vulnerability was discovered in GL.iNet GL-MT3000 version 4.4.5. The issue lies in the snprintf function of the /cgi-bin/glc file within the FTP Protocol Handler component. An attacker can exploit this by manipulating the media_dir argument, leading to command injection. This attack can be launched remotely. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. The issue is resolved in version 4.8.1.
- Vendor
- GL.iNet
- Product
- GL-MT3000
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-07
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-07
- Advisory updated
- 2026-06-08
Who should care
Users of GL.iNet GL-MT3000 version 4.4.5 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by improper handling of user input in the media_dir argument of the snprintf function in /cgi-bin/glc. This allows for command injection attacks. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 4.8.1 or later to fix this issue.
- Limit access to the FTP Protocol Handler component to trusted sources only.
Evidence notes
The vendor has confirmed that the issue is resolved in version 4.8.1, where the code escapes single quotes using escape_single_quote() before writing media_dir to the FTP configuration command.
Official resources
CVE-2026-11451 was published on 2026-06-07T04:16:29.570Z and modified on 2026-06-08T17:16:38.370Z.