CVE-2026-26791 - Vulnerability Details

- Command Injection Vulnerability in GL‑iNet GL‑AR300M16 v4.3.11

Description

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Published: 2026-03-12

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GL‑iNet GL‑AR300M16 firmware version 4.3.11 contains a command injection flaw in the enable_echo_server function. The vulnerability arises from unvalidated user input on the string port parameter, allowing an attacker to inject operating‑system escape sequences and construct arbitrary shell commands. The weakness is classified as CWE‑77. This flaw provides full control over the device’s operating system, enabling attackers to exfiltrate data, alter configuration, or pivot to other network assets.

Affected Systems

The affected hardware is the GL‑iNet GL‑AR300M16 router running firmware 4.3.11. No other firmware revisions or product variants are currently documented as impacted. The vulnerability is confined to the enable_echo_server routine and does not affect other services on the device.

Risk and Exploitability

The CVSS score of 9.8 classifies this issue as Critical. The EPSS score is reported as less than 1 %, indicating a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires remote access to the device’s web or management interface, through which a crafted port value can be supplied to trigger the injection. This would allow an attacker with network reach to the router to run arbitrary commands, effectively compromising the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Gl-inet

Gl-ar300m16

100%

Version	Status	Scheme	Platform
`4.3.11`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest GL‑iNet firmware that removes or secures the enable_echo_server functionality.
If an update is unavailable, disable the enable_echo_server feature via the router’s configuration settings or block its associated network port.
Restrict access to the router’s management interface to trusted IP addresses or networks only.
Implement network segmentation to isolate the router from critical infrastructure and reduce the blast radius.
Enable comprehensive logging and monitor for suspicious command usage or anomalous traffic patterns.

Generated by OpenCVE AI on March 18, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00936.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/enable_echo_server

History

Fri, 20 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection Vulnerability in GL‑iNet GL‑AR300M16 v4.3.11

Sat, 14 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gl-inet ar300m16 Gl-inet ar300m16 Firmware
Weaknesses		CWE-77
CPEs		cpe:2.3:h:gl-inet:ar300m16:-:::::::* cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:::::::*
Vendors & Products		Gl-inet ar300m16 Gl-inet ar300m16 Firmware
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gl-inet Gl-inet gl-ar300m16
Vendors & Products		Gl-inet Gl-inet gl-ar300m16

Thu, 12 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
References		https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/enable_echo_server

Subscriptions

Gl-inet Ar300m16 Ar300m16 Firmware Gl-ar300m16

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-12T00:00:00.000Z

Updated: 2026-03-14T03:23:33.407Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26791

Vulnrichment

Updated: 2026-03-14T03:23:27.424Z

NVD

Status : Modified

Published: 2026-03-12T18:16:22.690

Modified: 2026-03-16T14:18:27.057

Link: CVE-2026-26791

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:36:29Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object