CVE-2026-5996

Published April 10, 2026 · Updated April 10, 2026

9.8CVSS

critical

What This Means

CVE-2026-5996 is a critical vulnerability (CVSS score 9.8) found in the Totolink A7100RU, specifically within the `setAdvancedInfoShow` function of the CGI Handler. This flaw allows remote attackers to execute arbitrary OS commands by manipulating the `tty_server` argument, which could compromise the device. Security teams must immediately apply patches or mitigate the risk by restricting external access to vulnerable devices.

Official Description+

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-5996.

Related Coverage

Vvulnerability

🚨 Critical OS Command Injection in Totolink A7100RU Exposed

CVE-2026-5996 affects Totolink A7100RU routers, enabling remote OS command injection via the `tty_server` argument in the CGI Handler. This critical flaw, with a CVSS score of 9.8, requires prompt patching or strict access control measures.

NVD·9h ago·3 min read