CVE-2026-36356
Published: 05 May 2026
Summary
CVE-2026-36356 is a critical-severity OS Command Injection (CWE-78) vulnerability in Forgeslt711 (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is an unauthenticated OS command injection flaw (CWE-78) combined with missing authentication for a critical function (CWE-306) in the GoAhead web server running on MeiG Smart FORGE_SLT711 devices with firmware MDM9607.LE.1.0-00110-STD.PROD-1. It is reachable via the /action/SetRemoteAccessCfg endpoint and carries a CVSS 3.1 score of 9.1.
An attacker with network access can send crafted requests to the endpoint without credentials, resulting in arbitrary operating-system command execution on the device with impacts to confidentiality and integrity.
Public references consist of vendor sites for the affected hardware and a GitHub repository containing exploit details; no vendor advisories or official patches are referenced. The associated EPSS score remains low and essentially flat (current 0.0564, peak 0.0579), indicating limited observed exploitation interest to date.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27327
Vulnerability details
The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection (CWE-78) in public-facing web endpoint directly enables remote exploitation of the application (T1190) and arbitrary command execution via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks unauthenticated requests to /action/SetRemoteAccessCfg before any command execution can occur.
Requires validation and sanitization of all input to the endpoint, eliminating the OS command injection vector (CWE-78).
Mandates authentication and authorization controls for all remote management interfaces, addressing the missing-authentication weakness (CWE-306).