{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5692", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-06T10:27:13.757Z", "datePublished": "2026-04-06T23:15:13.215Z", "dateUpdated": "2026-04-06T23:15:13.215Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T23:15:13.215Z"}, "title": "Totolink A7100RU cstecgi.cgi setGameSpeedCfg os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "Totolink", "product": "A7100RU", "versions": [{"version": "7.4cu.2313_b20191024", "status": "affected"}], "cpes": ["cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-06T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-06T12:32:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LtzHust2 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355519", "name": "VDB-355519 | Totolink A7100RU cstecgi.cgi setGameSpeedCfg os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355519/cti", "name": "VDB-355519 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792963", "name": "Submit #792963 | Totolink A7100RU 7.4cu.2313_b20191024 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_190/README.md", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used."}], "id": "CVE-2026-5692", "lastModified": "2026-04-07T00:16:20.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-07T00:16:20.347", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_190/README.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792963"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355519"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355519/cti"}, {"source": "cna@vuldb.com", "url": "https://www.totolink.net/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "7.4cu.2313_b20191024"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "A7100RU", "source": "cna", "vendor": "Totolink"}, "product": "a7100ru", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-07T01:20:49.114811+00:00", "value": {"mitigation_remediation": ["Check Totolink\u2019s website or support portal for a firmware update that fixes the command injection in /cgi-bin/cstecgi.cgi.", "If no update is available, limit all web\u2011admin access to the router to a trusted internal network and block remote access from the internet.", "Disable or remove the cstecgi.cgi interface if the feature is not required, or block it via firewall rules."], "summary": {"action": "Immediate Patch", "impact": "Remote OS Command Injection"}, "threat_synthesis": {"affected_systems": "Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024 are affected. This includes the cstecgi.cgi script located under /cgi-bin. No other vendor or product is currently listed as impacted.", "description_and_impact": "Affects the setGameSpeedCfg function in the cstecgi.cgi CGI script of the A7100RU router. The enable parameter can be manipulated to inject arbitrary operating system commands through the web interface. The vulnerability is a classic OS command injection, corresponding to CWE-77 and CWE-78. Remote attackers can invoke the injection from outside the host, potentially gaining the ability to execute any command on the router\u2019s operating system, which may compromise confidentiality, integrity, and availability of the device and the network it protects.", "risk_and_exploitability": "The CVSS score of 6.9 indicates medium severity. Exploitability is increased by the fact that the attack vector is remote and no special user credentials are required; the exploit has already been made public. As the EPSS score is not available and the vulnerability is not in the CISA KEV list, the prevalence risk may still be significant but uncertain. Attackers can leverage the command injection to run arbitrary commands, which can lead to full compromise of the router and possibly the connected network."}}}}, "created": "2026-04-07T06:53:31.583369+00:00", "updated": "2026-04-07T09:36:28.643015+00:00", "vendors": ["totolink", "totolink$PRODUCT$a7100ru"]}