CVE-2026-7219

Totolink N300RT formIpQoS buffer overflow

CVSS 8.6 HIGHEPSS 0.6%CWE-119 CWE-120

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.6EPSS 0.6%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

28 Apr 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A flaw has been found in Totolink N300RT 3.4.0-B20250430. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entry_name can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected products

Totolink · N300RT

public PoCs found — 1

cve_referencegithub.com/xiaohaiyang-ai/IoT-Vulnerability-Research/tree/main/Vendors/TOTOLINK/N300RT/formIpQoS-Bofunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xiaohaiyang-ai/IoT-Vulnerability-Research/tree/main/Vendors/TOTOLINK/N300RT/formIpQoS-Bof https://vuldb.com/submit/808194 https://vuldb.com/vuln/359819 https://vuldb.com/vuln/359819/cti https://www.totolink.net/