anonhaven
Ad

CVE-2026-4611

HIGH CVSS 4.0: 8.6 EPSS 1.59%
Updated Apr 03, 2026
Totolink
Parameter Value
CVSS 8.6 (HIGH)
Type CWE-77 (Command Injection), CWE-78 (OS Command Injection)
Vendor Totolink
Public PoC No

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection.

The attack may be launched remotely.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-77 Command Injection
CWE-78 OS Command Injection

Vulnerable Products 3

Configuration From (including) Up to (excluding)
Totolink X6000r_Firmware
cpe:2.3:o:totolink:x6000r_firmware:9.4.0cu.1360_b20241207:*:*:*:*:*:*:*
Totolink X6000r_Firmware
cpe:2.3:o:totolink:x6000r_firmware:9.4.0cu.1498_b20250826:*:*:*:*:*:*:*
Totolink X6000r
cpe:2.3:h:totolink:x6000r:-:*:*:*:*:*:*:*

References 4

https://vuldb.com/?ctiid.352475
cna@vuldb.com
https://vuldb.com/?id.352475
cna@vuldb.com
https://vuldb.com/?submit.775642
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-6168

Totolink

8.7

CVE-2026-6029

Totolink

9.3

CVE-2026-6028

Totolink

9.3

CVE-2026-6027

Totolink

9.3

CVE-2026-6026

Totolink

9.3