CVE-2026-1723
Published: 30 January 2026
Summary
CVE-2026-1723 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink (inferred from references). Its CVSS base score is 9.2 (Critical).
Operationally, ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2026-1723 is an OS command injection vulnerability (CWE-78) present in the TOTOLINK X6000R router. It stems from improper neutralization of special elements in OS commands and affects all firmware versions through V9.4.0cu.1498_B20250826. The flaw carries a CVSS 4.0 score of 9.2.
An unauthenticated remote attacker can supply crafted input over the network to execute arbitrary operating-system commands on the device. Successful exploitation can alter system integrity and availability while also enabling secondary impacts on confidentiality, with the attack complexity rated as high under the published vector.
The referenced Palo Alto Networks disclosure and TOTOLINK firmware download page provide the primary sources for mitigation details and any available updates. The EPSS score rose from a low baseline to a peak of 0.0198 on 2026-02-05 before receding to the current value of 0.0047, indicating a temporary increase in exploitation interest after public disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5005
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1498_B20250826.
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.