CVE-2026-26213

UNKNOWN 0.0

thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.

CWE	CWE-78
Vendor	themactep
Product	thingino-firmware
Published	Mar 26, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for themactep thingino-firmware

Be the first to know when new unknown vulnerabilities affecting themactep thingino-firmware are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

themactep / thingino-firmware

0 ≤ firmware-2026-03-16

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/themactep/thingino-firmware/releases/tag/firmware-2026-03-15 vulncheck.com: https://www.vulncheck.com/advisories/thingino-firmware-api-cgi-unauthenticated-command-injection-in-captive-portal

Credits

Azmi Alsarayrah