CVE-2026-1326
Published: 22 January 2026
Summary
CVE-2026-1326 is a medium-severity Injection (CWE-74) vulnerability in Totolink Nr1800X Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-1326 by requiring timely flaw remediation through vendor patches for the command injection vulnerability in the Totolink router firmware.
Prevents command injection by requiring validation of the untrusted Hostname argument in the setWanCfg POST request handler within /cgi-bin/cstecgi.cgi.
Addresses the publicly available exploit for CVE-2026-1326 by requiring dissemination and implementation of relevant security alerts and advisories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via public-facing router web CGI (setWanCfg/Hostname) directly enables exploitation of public-facing application (T1190) and network device command execution (T1059.008).
NVD Description
A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…
more
The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-1326 is a command injection vulnerability affecting the Totolink NR1800X router on firmware version 9.1.0u.6279_B20210910. The flaw exists in the setWanCfg function of the /cgi-bin/cstecgi.cgi file within the POST Request Handler component, where manipulation of the Hostname argument enables command injection. Published on 2026-01-22, it is associated with CWEs-74 and CWE-77.
The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network with low complexity by an attacker possessing low privileges, without requiring user interaction. Successful exploitation allows the attacker to achieve limited impacts on confidentiality, integrity, and availability via injected commands.
VulDB advisories detail the issue and note that an exploit has been made publicly available, heightening the potential for attacks. The Totolink vendor website provides relevant resources, and security practitioners should consult these references for any available patches or mitigation steps.
Details
- CWE(s)