CVE-2026-41922— WDR201A WiFi Extender OS Command Injection via wireless.cgi
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41922
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WDR201A WiFi Extender OS Command Injection via wireless.cgi
Source: NVD (National Vulnerability Database)
Vulnerability Description
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Shenzhen Yipu Commercial and Trading Co., Ltd | WDR201A WiFi Extender | 0 ~ 1.02.0 | - |
II. Public POCs for CVE-2026-41922
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41922
Please Login to view more intelligence information
Same Patch Batch · Shenzhen Yipu Commercial and Trading Co., Ltd · 2026-05-04 · 6 CVEs total
| CVE-2026-41924 | WDR201A WiFi Extender OS Command Injection via makeRequest.cgi | |
| CVE-2026-41925 | WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time) | |
| CVE-2026-41926 | WDR201A WiFi Extender OS Command Injection via firewall.cgi | |
| CVE-2026-41923 | WDR201A WiFi Extender OS Command Injection via internet.cgi | |
| CVE-2026-41927 | WDR201A WiFi Extender Stack-Based Buffer Overflow via firewall.cgi |
IV. Related Vulnerabilities
Same product: WDR201A WiFi Extender
- CVE-2026-41927
WDR201A WiFi Extender Stack-Based Buffer Overflow via firewa - CVE-2026-41926
WDR201A WiFi Extender OS Command Injection via firewall.cgi - CVE-2026-41925
WDR201A WiFi Extender OS Command Injection via adm.cgi (rebo - CVE-2026-41924
WDR201A WiFi Extender OS Command Injection via makeRequest.c - CVE-2026-41923
WDR201A WiFi Extender OS Command Injection via internet.cgi
Same vendor: Shenzhen Yipu Commercial and Trading Co., Ltd
- CVE-2026-41927
WDR201A WiFi Extender Stack-Based Buffer Overflow via firewa - CVE-2026-41926
WDR201A WiFi Extender OS Command Injection via firewall.cgi - CVE-2026-41925
WDR201A WiFi Extender OS Command Injection via adm.cgi (rebo - CVE-2026-41924
WDR201A WiFi Extender OS Command Injection via makeRequest.c - CVE-2026-41923
WDR201A WiFi Extender OS Command Injection via internet.cgi
Same weakness: CWE-78
- CVE-2026-42454
Termix: OS Command Injection in Docker Container Management - CVE-2026-44656
Vim: OS Command Injection via 'path' completion - CVE-2026-42307
Vim: OS Command Injection in netrw - CVE-2026-41497
Incomplete fix for CVE-2026-34935: Command Injection in Merv - CVE-2022-50994
DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfu
V. Comments for CVE-2026-41922
No comments yet