CVE-2026-11450 | GL.iNet GL-MT3000 4.4.5 Path Normalization /usr/lib/oui-httpd/rpc/ dlopen dev_name command injection

A vulnerability, which was classified as critical, has been found in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection.

This vulnerability is cataloged as CVE-2026-11450. It is possible to initiate the attack remotely. There is no exploit available.

It is advisable to upgrade the affected component.

The vendor confirms: ” From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report.”

CVE-2026-11450 | GL.iNet GL-MT3000 4.4.5 Path Normalization /usr/lib/oui-httpd/rpc/ dlopen dev_name command injection

Post correlati

CVE-2023-5992 | OpenSC prior 0.24.0 PKCS#1 Padding information exposure

CVE-2023-49673 | NeuVector Vulnerability Scanner Plugin up to 1.22 on Jenkins cross-site request forgery

CVE-2025-14833 | code-projects Online Appointment Booking System 1.0 deletemanagerclinic.php clinic sql injection

CVE-2025-5407 | chaitak-gorai Blogbook up to 92f5cf90f8a7e6566b576fe0952e14e1c6736513 /register_script.php fullname cross site scripting