CVE-2026-22209

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N                                    

Vulnerability Description

thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can exploit the eval function in parse_query() and parse_post() functions to achieve remote code execution and perform privileged configuration changes including root password reset and SSH authorized_keys modification, resulting in full persistent device compromise.

Vulnerability Details

Published Date

March 13, 2026

Last Modified

March 20, 2026

CWE ID

CWE-79

Source

NVD

Vendor

gVectors

Product

wpDiscuz

External References

https://wordpress.org/plugins/wpdiscuz/
https://wordpress.org/plugins/wpdiscuz/#developers
https://www.vulncheck.com/advisories/wpdiscuz-before-cross-site-scripting-via-unescaped-custom-css-in-style-tag

CVE-2026-22209

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment