CVE-2026-9532

6.3 MEDIUM

A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510

Published: 2026-05-26 · Last updated: 2026-05-26

Severity and scoring

CVSS: 6.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-77, CWE-78

Description

A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9532
[Other]https://github.com/wudipjq/my_vuln/blob/main/totolink4/vuln_55/55.md
[Other]https://vuldb.com/submit/813930
[Other]https://vuldb.com/vuln/365559
[Other]https://vuldb.com/vuln/365559/cti
[Other]https://www.totolink.net/

Related CVEs

Same CWE

CVE-2026-22313 — The device has a webserver that exposes a REST API authenticated with a token on the management network (9.1 CRITICAL)
CVE-2026-44932 — Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a ... (8.8 HIGH)
CVE-2024-24909 — Dell OpenManage Integration with Microsoft Windows Admin Center contains a Remote Code Execution vulnerability in the gateway plugin (8.8 HIGH)
CVE-2026-12398 — A command injection vulnerability was found in galaxy_ng (7.5 HIGH)
CVE-2026-5416 — Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command in... (8.8 HIGH)