CVE-2026-9532— Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9532
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-9532
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9532
请登录查看更多情报信息。
Proof of Concept for CVE-2026-9532 (1)
Same Patch Batch · Totolink · 2026-05-26 · 5 CVEs total
| CVE-2026-9543 | 9.8 CRITICAL | Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection |
| CVE-2026-9534 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os command injection |
| CVE-2026-9533 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection |
| CVE-2026-9531 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os command injection |
IV. Related Vulnerabilities
Same product: CA750-PoE
- CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9533
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os c - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os - CVE-2026-9514
Totolink CA750-PoE Setting cstecgi.cgi setNetworkDiag os com
Same vendor: Totolink
- CVE-2026-9543
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os - CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9533
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os c - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os
Same weakness: CWE-78
- CVE-2026-44444
Lumiverse: Spindle extension install runs untrusted lifecycl - CVE-2026-9560
OpenVPN Connect macOS 3.5.1-3.8.1权限提升漏洞 - CVE-2026-46624
Twenty: SQL Injection via the timeZone field - CVE-2026-9565
haojing8312 WorkClaw Blacklist bash.rs is_dangerous os comma - CVE-2026-44723
Vowpal Wabbit: Shell injection via crafted PR title in pytho
V. Comments for CVE-2026-9532
No comments yet