CVE-2026-8137

Totolink X5000R formDdns sub_458E40 buffer overflow

CVSS 8.7 HIGHEPSS 0.5%CWE-119 CWE-120

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.7EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

08 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Affected products

Totolink · X5000R

public PoCs found — 1

cve_referencegithub.com/Kiciot/cve/issues/4unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Kiciot/cve/issues/4 https://vuldb.com/submit/808863 https://vuldb.com/vuln/361926 https://vuldb.com/vuln/361926/cti https://www.totolink.net/