Details of VAR-202601-2406

ID

VAR-202601-2406

CVE

CVE-2026-1326

TITLE

TOTOLINK of nr1800x Multiple vulnerabilities in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2026-002453

DESCRIPTION

A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Exploits are publicly available and may be used in attacks.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software may stop working completely

Trust: 1.62

sources: NVD: CVE-2026-1326 // JVNDB: JVNDB-2026-002453

AFFECTED PRODUCTS

vendor:	totolink	model:	nr1800x	scope:	eq	version:	9.1.0u.6279_b20210910	Trust: 1.0
vendor:	totolink	model:	nr1800x	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	nr1800x	scope:	eq	version:	nr1800x firmware 9.1.0u.6279_b20210910	Trust: 0.8
vendor:	totolink	model:	nr1800x	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002453 // NVD: CVE-2026-1326

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2026-1326
value:	LOW
Trust: 1.0
nvd@nist.gov:	CVE-2026-1326
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2026-002453
value:	HIGH
Trust: 0.8

cna@vuldb.com:	CVE-2026-1326
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2026-002453
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

cna@vuldb.com:	CVE-2026-1326
baseSeverity:	MEDIUM
baseScore:	6.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.8
impactScore:	3.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2026-1326
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2026-002453
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002453 // NVD: CVE-2026-1326 // NVD: CVE-2026-1326

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-74	Trust: 1.0
problemtype:	injection (CWE-74) [ others ]	Trust: 0.8
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002453 // NVD: CVE-2026-1326

PATCH

title:

Submit #735787

url:

https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link

Trust: 0.8

sources: JVNDB: JVNDB-2026-002453

EXTERNAL IDS

db:	NVD	id:	CVE-2026-1326	Trust: 2.6
db:	VULDB	id:	342302	Trust: 1.0
db:	JVNDB	id:	JVNDB-2026-002453	Trust: 0.8

sources: JVNDB: JVNDB-2026-002453 // NVD: CVE-2026-1326

REFERENCES

url:	https://www.totolink.net/	Trust: 1.8
url:	https://vuldb.com/?id.342302	Trust: 1.0
url:	https://vuldb.com/?ctiid.342302	Trust: 1.0
url:	https://vuldb.com/?submit.735787	Trust: 1.0
url:	https://lavender-bicycle-a5a.notion.site/totolink-nr1800x-setwancfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2026-1326	Trust: 0.8

sources: JVNDB: JVNDB-2026-002453 // NVD: CVE-2026-1326

SOURCES

db:	JVNDB	id:	JVNDB-2026-002453
db:	NVD	id:	CVE-2026-1326

LAST UPDATE DATE

2026-02-03T23:23:08.025000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002453	date:	2026-02-02T10:37:00
db:	NVD	id:	CVE-2026-1326	date:	2026-01-29T17:50:11.663

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002453	date:	2026-02-02T00:00:00
db:	NVD	id:	CVE-2026-1326	date:	2026-01-22T15:16:50.790