CVE-2026-41923
WDR201A WiFi Extender OS Command Injection via internet.cgi
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response.
| CWE | CWE-78 |
| Vendor | shenzhen yipu commercial and trading co., ltd |
| Product | wdr201a wifi extender |
| Published | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for shenzhen yipu commercial and trading co., ltd wdr201a wifi extender
Be the first to know when new unknown vulnerabilities affecting shenzhen yipu commercial and trading co., ltd wdr201a wifi extender are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Shenzhen Yipu Commercial and Trading Co., Ltd / WDR201A WiFi Extender
0 โค 1.02
References
mstreet97.github.io: https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html made-in-china.com: https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China vulncheck.com: https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi
Credits
Matteo Strada Daniele Berardinelli