GL-iNet GL-AR300M16 Firmware Upgrade Vulnerability Allows Command Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

GL-iNet GL-AR300M16 Firmware Upgrade Vulnerability Allows Command Execution

CVE-2026-26792

Summary

The GL-iNet GL-AR300M16's firmware upgrade feature is vulnerable to hacking. Attackers can exploit this vulnerability by sending specially crafted input, allowing them to execute unauthorized commands on the device. Firmware updates should be reviewed and validated before applying to avoid potential security risks.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
gl-inet	ar300m16_firmware	4.3.11	–

Original title

Original description

GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type parameters. These vulnerabilities allow attackers to execute arbitrary commands via a crafted input.

Vulnerability type

CWE-77 Command Injection

https://github.com/sezangel/IOT-vul/tree/main/GL-iNet/GL-AR300M16/set_upgrade

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026