CVE-2026-11451
Published: 07 June 2026
Summary
CVE-2026-11451 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability exists in the GL.iNet GL-MT3000 firmware version 4.4.5 within the FTP Protocol Handler. Specifically, the snprintf function in /cgi-bin/glc accepts an unsanitized media_dir argument that is written into the vsftpd configuration, allowing an attacker to inject shell commands. The issue is tracked as CWE-74 and CWE-77, carries a CVSS 4.0 score of 6.9, and is remotely exploitable without authentication or user interaction.
An unauthenticated remote attacker can supply a crafted media_dir value to the /NAS_API_SET_PROTO_CONFIG interface, resulting in arbitrary command execution on the device with limited impact to confidentiality, integrity, and availability. Successful exploitation grants the ability to run operating-system commands in the context of the FTP configuration handler.
The vendor states that version 4.8.1 resolves the flaw by calling escape_single_quote() on the media_dir value before it is written to /etc/vsftpd.conf, rendering the previously published injection payloads ineffective. The EPSS score has remained flat at 0.0125 with no observed increase after disclosure. Public references include a detailed proof-of-concept repository and multiple VulDB entries describing the same vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34982
Vulnerability details
A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to…
more
launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report—which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #—cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed “unauthorized command injection in set_proto_config”."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.