CVE-2026-41922
WDR201A WiFi Extender OS Command Injection via wireless.cgi
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication.
| CWE | CWE-78 |
| Vendor | shenzhen yipu commercial and trading co., ltd |
| Product | wdr201a wifi extender |
| Published | May 4, 2026 |
| Last Updated | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for shenzhen yipu commercial and trading co., ltd wdr201a wifi extender
Be the first to know when new unknown vulnerabilities affecting shenzhen yipu commercial and trading co., ltd wdr201a wifi extender are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Shenzhen Yipu Commercial and Trading Co., Ltd / WDR201A WiFi Extender
0 โค 1.02
References
mstreet97.github.io: https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html made-in-china.com: https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China vulncheck.com: https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-wireless-cgi
Credits
Matteo Strada Daniele Berardinelli