CVE-2026-5103

MEDIUM

Published:Mar 30, 2026(Today)

Modified:Mar 30, 2026

AI Explanation

A command injection vulnerability exists in the Totolink A3300R router's UPnP configuration function, allowing remote attackers to inject malicious commands. This is due to a weakness in the setUPnPCfg function of the /cgi-bin/cstecgi.cgi file, specifically with the 'enable' argument. Developers should prioritize patching this issue to prevent potential attacks.

Users of the Totolink A3300R router with firmware version 17.0.0cu.557_b20221024 are at risk of remote command injection attacks, which is considered a medium severity vulnerability.

Network AccessLow ComplexityLow PrivilegesNo User Interaction

How to Fix

1Update the Totolink A3300R firmware to a version later than 17.0.0cu.557_b20221024, 2. Disable UPnP on the router until a patch is available, 3. Implement a web application firewall (WAF) to detect and prevent command injection attacks

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_en...
https://vuldb.com/submit/779140
https://vuldb.com/vuln/354128
https://vuldb.com/vuln/354128/cti

CVSS Score

v3.1

6.3/ 10.0

MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

At a Glance

Affected Products

References

CVSS v3 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE-2026-5103

✦ AI Explanation

How to Fix

References

CVSS Score

At a Glance

CVSS v3 Vector

Impact Analysis

AI Explanation