CVE-2026-26795 - Vulnerability Details

- Command Injection in GL-iNet GL-AR300M16 v4.3.11 via get_system_log

Description

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Published: 2026-03-12

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GL-iNet GL-AR300M16 firmware v4.3.11 contains a command injection flaw in the M.get_system_log function. The module parameter supplied to this function is not validated, allowing an attacker to inject arbitrary shell commands into the system. The attacker, if able to trigger this path, could gain unrestricted command execution, compromising confidentiality, integrity, and availability of the device and potentially the entire network it serves.

Affected Systems

Affected product: GL-iNet GL-AR300M16 with firmware version 4.3.11. The vulnerability is identified for the cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:* and cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score is 9.8 indicating a critical level of risk. The EPSS score is reported to be less than 1%, suggesting that the overall probability of exploitation observed in the wild is low, yet the existence of the flaw with such high impact mandates action. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote, via network communication to the router’s management interface where the get_system_log function is exposed, but the exact method of exploitation (e.g., HTTP request, SNMP, etc.) is not explicitly detailed in the provided description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Gl-inet

Gl-ar300m16

80%

Version	Status	Scheme	Platform
`4.3.11`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to a firmware version that removes the vulnerable get_system_log implementation or applies the vendor’s patch when it becomes available.
If an upgrade is not immediately possible, block or disable the get_system_log endpoint by firewall or configuration changes to prevent remote access.
As an added precaution, consider disabling remote management interfaces or restricting them to trusted IP ranges.
Reset the device to factory defaults and configure strong authentication to mitigate potential credential compromise.
Continuously monitor network traffic for anomalous calls to the get_system_log function.

Generated by OpenCVE AI on March 18, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00936.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/logread--get_system_log

History

Fri, 20 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
Title		Command Injection in GL-iNet GL-AR300M16 v4.3.11 via get_system_log

Sat, 14 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 13 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gl-inet ar300m16 Gl-inet ar300m16 Firmware
Weaknesses		CWE-77
CPEs		cpe:2.3:h:gl-inet:ar300m16:-:::::::* cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:::::::*
Vendors & Products		Gl-inet ar300m16 Gl-inet ar300m16 Firmware
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 13 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gl-inet Gl-inet gl-ar300m16
Vendors & Products		Gl-inet Gl-inet gl-ar300m16

Thu, 12 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.
References		https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/logread--get_system_log

Subscriptions

Gl-inet Ar300m16 Ar300m16 Firmware Gl-ar300m16

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-12T00:00:00.000Z

Updated: 2026-03-14T03:30:31.005Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26795

Vulnrichment

Updated: 2026-03-14T03:30:12.652Z

NVD

Status : Modified

Published: 2026-03-12T18:16:23.070

Modified: 2026-03-16T14:18:27.577

Link: CVE-2026-26795

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:36:25Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object