HIGHCVE-2026-1158Published 2026-01-19Modified 2026-02-23CNA VulDB

CVE-2026-1158: Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow

A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Totolink / LR350
9.3.5u.6369_B20220309

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow
VDB-341752 | CTI Indicators (IOB, IOC, IOA)
Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow
lavender-bicycle-a5a.notion.site
totolink.net

Metrics