CVE-2026-11449 | GL.iNet GL-MT3000 4.4.5 LuCI JSON-RPC Interface /cgi-bin/luci/rpc rpc_sys command injection

A vulnerability classified as critical was found in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection.

This vulnerability is listed as CVE-2026-11449. The attack may be performed from remote. There is no available exploit.

Upgrading the affected component is advised.

The vendor confirms: “The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited.”

CVE-2026-11449 | GL.iNet GL-MT3000 4.4.5 LuCI JSON-RPC Interface /cgi-bin/luci/rpc rpc_sys command injection

Post correlati

CVE-2024-41657 | Casdoor up to 1.577.0 cross-domain policy (GHSL-2024-035)

CVE-2024-5208 | mintplex-labs anything-llm up to 0.x Request upload-link resource consumption

CVE-2024-8928 | PHP up to 8.1.29/8.2.23/8.3.11 Multipart Form Data Parser improper validation of syntactic correctness of input

CVE-2025-1230 | Prestashop 8.1.7 //index.php link cross site scripting