PatchSiren

TOTOLINK CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH TOTOLINK CVE published 2026-07-09

CVE-2026-15271

A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10, and EX200 up to 20260906. The vulnerability affects some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface, leading to a least privilege violation. The attack may be initiated remotely, with high complexity and difficult exploitation. This vulnerability has a CVSS [truncated]

CRITICAL Totolink CVE published 2026-06-23

CVE-2026-44089

The Totolink EX1200L router is vulnerable to a buffer overflow in the login functionality of the cgi-bin/cstecgi.cgi endpoint. This vulnerability, CVE-2026-44089, could be exploited to cause the program to crash and execute code remotely. An attacker could perform actions as root, including reading and editing data, as well as bricking the router. The vulnerability has been confirmed in version 9.3.5u.614 [truncated]

MEDIUM TOTOLINK CVE published 2026-06-09

CVE-2026-11620

A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

LOW TOTOLINK CVE published 2026-06-08

CVE-2026-11554

A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.

LOW TOTOLINK CVE published 2026-06-08

CVE-2026-11494

A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

HIGH Totolink CVE published 2026-05-26

CVE-2026-9543

A command injection vulnerability in the Totolink N300RH wireless router allows unauthenticated remote attackers to execute arbitrary operating system commands via the Web Management Interface. The vulnerability resides in the `setPasswordCfg` function of `/cgi-bin/cstecgi.cgi`, where the `admpass` parameter is passed unsanitized to a shell command. The CVSS 4.0 score of 8.9 (HIGH) reflects network attack [truncated]

LOW Totolink CVE published 2026-05-26

CVE-2026-9534

A command injection vulnerability in Totolink CA750-PoE 6.2c.510 allows remote attackers to execute arbitrary OS commands via the PIN parameter in the setWiFiWpsConfig function of /cgi-bin/cstecgi.cgi. The vulnerability has a LOW CVSS 4.0 score (2.1) with network attack vector, low attack complexity, and low privileges required. The exploit has been publicly disclosed.

LOW Totolink CVE published 2026-05-26

CVE-2026-9532

A command injection vulnerability exists in the Totolink CA750-PoE 6.2c.510 router firmware. The flaw resides in the `setUploadUserData` function within `/cgi-bin/cstecgi.cgi`, where unsanitized user input via the `FileName` parameter permits arbitrary operating system command execution. The vulnerability is remotely exploitable and requires low privileges (authenticated access). Public exploit disclosure [truncated]

LOW Totolink CVE published 2026-05-26

CVE-2026-9515

A remote OS command injection vulnerability exists in Totolink CA750-PoE firmware version 6.2c.510. The vulnerability resides in the `setUnloadUserData` function within the `/cgi-bin/cstecgi.cgi` Setting Handler component. An authenticated attacker with low privileges can inject arbitrary operating system commands via the `plugin_version` parameter. The CVSS 4.0 vector indicates network attack vector, low [truncated]

LOW Totolink CVE published 2026-05-25

CVE-2026-9514

A command injection vulnerability exists in the Totolink CA750-PoE 6.2c.510 firmware. The setNetworkDiag function in /cgi-bin/cstecgi.cgi fails to sanitize user-supplied input for network diagnostic parameters (NetDiagHost, NetDiagPingNum, NetDiagPingSize, NetDiagPingTimeOut, NetDiagTracertHop), allowing authenticated remote attackers to inject arbitrary operating system commands. The vulnerability requir [truncated]

LOW Totolink CVE published 2026-05-25

CVE-2026-9513

A command injection vulnerability exists in the NTPSyncWithHost function of the /cgi-bin/cstecgi.cgi endpoint on Totolink CA750-PoE devices running firmware version 6.2c.510. The host_time parameter accepts unsanitized input that is passed to a shell command, enabling authenticated remote attackers to execute arbitrary operating system commands. The vulnerability requires low privileges and no user intera [truncated]

LOW Totolink CVE published 2026-05-25

CVE-2026-9512

A command injection vulnerability exists in the Totolink CA750-PoE 6.2c.510 firmware. The flaw resides in the setPasswordCfg function within /cgi-bin/cstecgi.cgi, where unsanitized input for the admuser and admpass parameters allows remote attackers to execute arbitrary operating system commands. The vulnerability requires authentication (PR:L per CVSS 4.0 vector), limiting its immediate exploitability. P [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9476

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setPasswordCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `admpass` parameter accepts unsanitized input that is passed to a shell command, enabling remote attackers to execute arbitrary operating system comma [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9475

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability is located in the setIpQosRules function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The Comment parameter is improperly sanitized, allowing an attacker to inject and execute arbitrary operating system commands. This vulnerability can be exp [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9458

A remote OS command injection vulnerability exists in Totolink A8000RU firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setWanCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enabled` parameter is susceptible to command injection, allowing unauthenticated remote attackers to execute arbitrary operating system commands. The CVSS 4.0 score [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9457

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the UploadFirmwareFile function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The FileName parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. Th [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9456

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability is located in the `setOpenVpnCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enabled` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9455

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The FileName parameter is not properly sanitized, allowing an attacker to inject arbitrary operating system commands. This vulnerability can be exploited remotel [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9436

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setL2tpServerCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. This vulne [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9435

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setQosCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentication. T [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9434

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setWiFiWpsCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `wscDisabled` parameter is not properly sanitized before being passed to system shell execution, allowing remote attackers to inject arbitrary operating syste [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9433

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setMacFilterRules` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authentic [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9408

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability is located in the `setStaticDhcpRules` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `enable` parameter is not properly sanitized, allowing remote attackers to inject and execute arbitrary operating system commands without authe [truncated]

HIGH Totolink CVE published 2026-05-25

CVE-2026-9406

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setRemoteCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `enable` parameter is susceptible to OS command injection, allowing remote unauthenticated attackers to execute arbitrary commands on the underlying operating system. T [truncated]

HIGH Totolink CVE published 2026-05-24

CVE-2026-9404

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the `setDdnsCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `provider` parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject and execute arbitrary operating system commands. The CVSS [truncated]

HIGH Totolink CVE published 2026-05-24

CVE-2026-9387

A command injection vulnerability exists in the Totolink A8000RU router firmware version 7.1cu.643_b20200521. The vulnerability is located in the setUpgradeFW function within the /cgi-bin/cstecgi.cgi endpoint of the web management interface. The resetFlags parameter is susceptible to OS command injection, allowing remote attackers to execute arbitrary commands without authentication. The vulnerability has [truncated]

HIGH Totolink CVE published 2026-05-24

CVE-2026-9386

A remote OS command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setLanguageCfg` function within the `/cgi-bin/cstecgi.cgi` web management interface endpoint. The `lang` parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject arbitrary operating system commands. The CVSS 4.0 [truncated]

HIGH Totolink CVE published 2026-05-24

CVE-2026-9384

A command injection vulnerability exists in the Totolink A8000RU wireless router firmware version 7.1cu.643_b20200521. The vulnerability resides in the `setDiagnosisCfg` function within the `/cgi-bin/cstecgi.cgi` endpoint of the web management interface. The `ip` parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject arbitrary operating system commands. Successful explo [truncated]