CVE-2026-26795

CriticalPublic PoCRCE

Published: 12 March 2026

Published

12 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0111 78.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26795 is a critical-severity Command Injection (CWE-77) vulnerability in Gl-Inet Ar300M16 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of input sanitization in the module parameter of M.get_system_log, preventing command injection by validating all user-supplied inputs.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific command injection flaw in GL-iNet firmware version 4.3.11 through patching or updates.

SI-9 Information Input Restrictions partial match

prevent

Restricts the module parameter to organization-defined safe values, blocking crafted inputs that enable arbitrary command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection via public-facing web interface on router enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input.

Deeper analysisAI

CVE-2026-26795 is a command injection vulnerability affecting the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The flaw exists in the M.get_system_log function, where the module parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands. This issue, classified under CWE-77 (Command Injection), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. By crafting malicious input for the module parameter, an attacker can execute arbitrary commands on the device, potentially leading to full system compromise, including data theft, modification of configurations, or further lateral movement within a network. The unchanged scope and high impacts on confidentiality, integrity, and availability underscore its risk to Internet-exposed IoT devices.

A proof-of-concept demonstrating the vulnerability is available in the GitHub repository at https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/logread--get_system_log. No vendor advisories or patches were referenced in the CVE details.