Cyber Resilience

CVE-2026-1326

MediumPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0321 86.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1326 is a medium-severity Injection (CWE-74) vulnerability in Totolink Nr1800X Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1326 is a command injection vulnerability affecting the Totolink NR1800X router on firmware version 9.1.0u.6279_B20210910. The flaw exists in the setWanCfg function of the /cgi-bin/cstecgi.cgi file within the POST Request Handler component, where manipulation of the Hostname argument enables command injection. Published on 2026-01-22, it is associated with CWEs-74 and CWE-77.

The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity by an attacker possessing low privileges, without requiring user interaction. Successful exploitation allows the attacker to achieve limited impacts on confidentiality, integrity, and availability via injected commands.

VulDB advisories detail the issue and note that an exploit has been made publicly available, heightening the potential for attacks. The Totolink vendor website provides relevant resources, and security practitioners should consult these references for any available patches or mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…

more

The exploit has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection via public-facing router web CGI (setWanCfg/Hostname) directly enables exploitation of public-facing application (T1190) and network device command execution (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5030Same product: Totolink Nr1800X
CVE-2026-1327Same product: Totolink Nr1800X
CVE-2026-1328Same product: Totolink Nr1800X
CVE-2026-1548Same vendor: Totolink
CVE-2026-5176Same vendor: Totolink
CVE-2026-5020Same vendor: Totolink
CVE-2026-1150Same vendor: Totolink
CVE-2026-5105Same vendor: Totolink
CVE-2025-8937Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink

Affected Assets

totolink
nr1800x firmware
9.1.0u.6279_b20210910

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-1326 by requiring timely flaw remediation through vendor patches for the command injection vulnerability in the Totolink router firmware.

prevent

Prevents command injection by requiring validation of the untrusted Hostname argument in the setWanCfg POST request handler within /cgi-bin/cstecgi.cgi.

prevent

Addresses the publicly available exploit for CVE-2026-1326 by requiring dissemination and implementation of relevant security alerts and advisories.

References