CVE-2026-11452 | GL.iNet GL-MT3000 up to 4.4.5 SET_USER_PWD /cgi-bin/glc FUN_0042e200 Password command injection

A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5 and classified as critical. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection.

This vulnerability is documented as CVE-2026-11452. The attack can be initiated remotely. There is not any exploit available.

The affected component should be upgraded.

The vendor explains: ” The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created.”VulDB Recent EntriesRead More