Description
thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
Published: 2026-03-26
Score: 8.7 High
EPSS: 6.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

thingino-firmware versions up to firmware-2026-03-16 contain an unauthenticated OS command injection flaw (CWE-78) in the WiFi captive‑portal CGI script. The vulnerability arises because suspicious HTTP parameter names are passed directly to the eval function in parse_query() and parse_post(). An attacker can inject arbitrary shell commands that are executed with root privileges, enabling full device compromise, password resets, and modification of authorized_keys.

Affected Systems

The affected systems are devices running themactep:thingino-firmware, specifically any firmware build up to and including firmware-2026-03-16.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability presents a high severity. The exploitation requires only unauthenticated HTTP access to the captive‑portal endpoint, making it easily targetable over the wireless network. An EPSS score of 6% indicates a moderate likelihood of exploitation, and the flaw is not in the CISA KEV list; the combination of local network exposure and root‑level execution still makes this a serious threat if left unpatched.

Generated by OpenCVE AI on June 18, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent firmware release from themactep that removes the vulnerable code.
  • If an update cannot be applied immediately, limit or block network traffic to the captive‑portal endpoint and monitor for suspicious activity.
  • Keep device firmware current by regularly checking the vendor website for further updates or security advisories.

Generated by OpenCVE AI on June 18, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thingino
Thingino thingino Firmware
CPEs cpe:2.3:o:thingino:thingino_firmware:*:*:*:*:*:*:*:*
Vendors & Products Thingino
Thingino thingino Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Themactep
Themactep thingino-firmware
Vendors & Products Themactep
Themactep thingino-firmware

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.
Title thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Themactep Thingino-firmware
Thingino Thingino Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-26T19:21:33.135Z

Reserved: 2026-02-11T20:08:07.943Z

Link: CVE-2026-26213

cve-icon Vulnrichment

Updated: 2026-03-26T19:21:28.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:16:38.787

Modified: 2026-06-17T10:25:57.033

Link: CVE-2026-26213

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')