Ghostwire
Home / Vulnerabilities / CVE-2026-41926

CVE-2026-41926: WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the...

CRITICAL CVSS 9.5

Published: May 4, 2026 | Last Modified: May 4, 2026

Description

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

Tenable CVEs
CVE-2026-41926
 CVE Feed
CVE-2026-41926 - WDR201A WiFi Extender OS Command Injection via firewall.cgi

References