Description
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type parameters. These vulnerabilities allow attackers to execute arbitrary commands via a crafted input.
Published: 2026-03-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Arbitrary Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the set_upgrade function of GL-iNet GL-AR300M16 firmware version 4.3.11, where several input parameters (modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, upgrade_type) are not properly validated, enabling a malicious actor to inject and execute arbitrary OS commands. This results in potential compromise of device confidentiality, integrity, and availability, as an attacker could fully control the device through arbitrary command execution (CWE-77).

Affected Systems

Affected systems are GL-iNet GL-AR300M16 routers running firmware v4.3.11, as identified by the provided CPE strings for the model and firmware. No other vendors or product lineages are listed in the CVE entry.

Risk and Exploitability

The CVSS score of 9.8 reflects a high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not in the CISA KEV catalog, suggesting no known active exploits. It is inferred that the attack vector is remote, requiring network access to the device’s firmware upgrade interface, but explicit details are not provided. The risk remains high due to potential full device takeover if an attacker can reach the vulnerable endpoint.

Generated by OpenCVE AI on March 18, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch for GL-iNet GL-AR300M16 if available.
  • Block or restrict network access to the set_upgrade endpoint using firewall or access control rules.
  • Monitor router logs for suspicious upgrade activity and command injection attempts.
  • Check the vendor’s website or support channels for official updates or advisories.

Generated by OpenCVE AI on March 18, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet ar300m16
Gl-inet ar300m16 Firmware
Weaknesses CWE-77
CPEs cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*
Vendors & Products Gl-inet ar300m16
Gl-inet ar300m16 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet
Gl-inet gl-ar300m16
Vendors & Products Gl-inet
Gl-inet gl-ar300m16

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type parameters. These vulnerabilities allow attackers to execute arbitrary commands via a crafted input.
References

Subscriptions

Gl-inet Ar300m16 Ar300m16 Firmware Gl-ar300m16
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-14T03:26:25.162Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26792

cve-icon Vulnrichment

Updated: 2026-03-14T03:26:18.140Z

cve-icon NVD

Status : Modified

Published: 2026-03-12T18:16:22.817

Modified: 2026-03-16T14:18:27.230

Link: CVE-2026-26792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:28Z

Weaknesses