← volver
CVE-2026-11448

GL.iNet GL-MT3000 Minidlna Service rpc realpath command injection

CVSS 5.1 MEDIUMEPSS 1.6%CWE-74CWE-77
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.1EPSS 1.6%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
Productos afectados
GL.iNet · GL-MT3000

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/minidlna_db_dir_uci_rcehttps://vuldb.com/cve/CVE-2026-11448https://vuldb.com/submit/825212https://vuldb.com/vuln/369068https://vuldb.com/vuln/369068/cti