Description
GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
Published: 2026-03-12
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

GL-iNet GL-AR300M16 firmware version 4.3.11 contains a command injection flaw in the set_config function. An attacker who can supply a specially crafted request can execute arbitrary system commands, giving them full control over the device. The vulnerability exposes the confidentiality, integrity, and availability of the device and any networks it connects to.

Affected Systems

The affected product is GL-iNet GL-AR300M16 with firmware 4.3.11. No other version information is provided, but the CPE data references that exact firmware revision.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity. The EPSS score is below 1%, suggesting current exploit activity is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the device’s HTTP API that exposes the set_config function, although the description does not explicitly state the transport. Given the high impact, even a low probability exploit warrants immediate attention.

Generated by OpenCVE AI on March 18, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check GL-iNet for an updated firmware release that addresses the command injection in set_config.
  • If no patch is available, disable or restrict access to the set_config endpoint through firewall rules or network segmentation.
  • Monitor device logs for unexpected command execution attempts and apply additional intrusion detection if possible.

Generated by OpenCVE AI on March 18, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet ar300m16
Gl-inet ar300m16 Firmware
CPEs cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*
Vendors & Products Gl-inet ar300m16
Gl-inet ar300m16 Firmware

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet
Gl-inet gl-ar300m16
Vendors & Products Gl-inet
Gl-inet gl-ar300m16

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
References

Subscriptions

Gl-inet Ar300m16 Ar300m16 Firmware Gl-ar300m16
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-12T19:14:06.654Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26793

cve-icon Vulnrichment

Updated: 2026-03-12T19:12:29.954Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T19:16:16.073

Modified: 2026-03-13T16:02:22.993

Link: CVE-2026-26793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:27Z

Weaknesses