Description
A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.
Published: 2026-04-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the setWiFiMultipleConfig function of the cstecgi.cgi CGI program in code‑projects for Plugin 4.1.2cu.5137. By supplying an overly long wepkey2 argument, an attacker can overwrite adjacent memory, potentially enabling arbitrary code execution on the affected device. The CVE does not specify the privileged context of the vulnerable code, so the exact scope of compromise is not explicitly defined, but the exploit can be triggered remotely without authentication.

Affected Systems

Each deployment of code‑projects for Plugin that includes version 4.1.2cu.5137 is impacted, as the vulnerability resides in both the /cgi-bin/cstecgi.cgi script and its underlying /lib/cste_modules/wireless.so library.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the public exploit demonstrates that attackers can trigger the overflow by sending a crafted request to the wepkey2 parameter over HTTP. No EPSS score is available, but the public exploit indicates a non‑negligible threat. The vulnerability has not been catalogued in CISA KEV; the remote nature of the attack and the lack of required authentication mean that exploitation probability is significant. Mitigation requires the vendor patch or containment measures.

Generated by OpenCVE AI on May 2, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade code‑projects for Plugin to a version that addresses the setWiFiMultipleConfig buffer overflow.
  • Configure firewall or access controls to limit external access to the /cgi-bin/cstecgi.cgi endpoint.
  • If a patch is not immediately available, disable the cstecgi.cgi CGI script in the web server configuration.
  • Add input validation or bounds checking on the wepkey2 parameter to prevent buffer overflow until a patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects for Plugin
Vendors & Products Code-projects
Code-projects for Plugin

Thu, 30 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects for Plugin 4.1.2cu.5137. The impacted element is the function setWiFiMultipleConfig in the library /lib/cste_modules/wireless.so of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument wepkey2 results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.
Title code-projects for Plugin cstecgi.cgi setWiFiMultipleConfig buffer overflow
Weaknesses CWE-119
CWE-120
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects For Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T21:45:11.565Z

Reserved: 2026-04-30T14:45:25.250Z

Link: CVE-2026-7503

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-30T22:16:26.920

Modified: 2026-05-01T15:26:24.553

Link: CVE-2026-7503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:15:06Z

Weaknesses