Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Totolink A3300R Router: Remote Command Injection via qos_up_bw
CVE-2026-5102
Summary
A vulnerability in Totolink A3300R routers allows an attacker to execute unauthorized commands on the device remotely. This can lead to a hacker taking control of the router or accessing sensitive information. Users should update their router's firmware to the latest version to fix the issue.
Original title
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Han...
Original description
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
Published: 30 Mar 2026 · Updated: 30 Mar 2026 · First seen: 30 Mar 2026