CVE-2026-12187

HIGH 8.8

GL.iNet GL-MT3000 Online Firmware Upgrade one_click_upgrade command injection

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CWE	CWE-77 CWE-74
Vendor	gl.inet
Product	gl-mt3000
Published	Jun 14, 2026

Stay Ahead of the Next One

Get instant alerts for gl.inet gl-mt3000

Be the first to know when new high vulnerabilities affecting gl.inet gl-mt3000 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

GL.iNet / GL-MT3000

4.4.0 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/370833 vuldb.com: https://vuldb.com/vuln/370833/cti vuldb.com: https://vuldb.com/cve/CVE-2026-12187 vuldb.com: https://vuldb.com/submit/815654 github.com: https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/upgrade_online_url fw.gl-inet.com: https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar

Credits

🔍 strforexc (VulDB User) VulDB CNA Team