Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Comfast CF-N1 V2: Remote Command Injection via CGI Interface
CVE-2026-2535
Summary
A remote attacker can inject malicious commands into the Comfast CF-N1 V2's CGI interface, potentially allowing them to execute arbitrary system commands. This could lead to unauthorized access or data theft. We recommend that you update to the latest version of the firmware as soon as possible to mitigate this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| comfast | cf-n1_firmware | 2.6.0.2 | – |
Original title
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_channel. The manipulation of the arg...
Original description
A vulnerability was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET§ion=ptest_channel. The manipulation of the argument channel results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
8.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://github.com/jinhao118/cve/blob/main/ComFast%20Router_2.md Exploit Third Party Advisory
- https://vuldb.com/?ctiid.346123 Permissions Required VDB Entry
- https://vuldb.com/?id.346123 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.748784 Third Party Advisory VDB Entry
Published: 16 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026