CVE-2026-11452
Published: 07 June 2026
Summary
CVE-2026-11452 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability has been identified in the GL.iNet GL-MT3000 router firmware up to version 4.4.5. It resides in the SET_USER_PWD handler within the function FUN_0042e200 of the /cgi-bin/glc component, where unsanitized input supplied to the Password argument is passed to a shell context, enabling command execution. The issue is tracked under CWE-74 and CWE-77 and carries a CVSS 4.0 score of 6.9.
Remote unauthenticated attackers can supply a crafted password value over the network to achieve command injection, resulting in limited impacts to confidentiality, integrity, and availability on the affected device. No authentication or user interaction is required.
The vendor states that upgrading to firmware 4.8.1 resolves the flaw by escaping single quotes in the password parameter and processing it inside a single-quoted shell context, which prevents payloads relying on command substitution such as $() or backticks. Public references include a detailed proof-of-concept and vulnerability database entries confirming the patch.
The associated EPSS score has remained flat at 0.0100 with no material increase from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34983
Vulnerability details
A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection. The attack can be initiated…
more
remotely. Upgrading to version 4.8.1 is able to address this issue. The affected component should be upgraded. The vendor explains: " The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.