CVE-2026-9532— Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9532
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-9532
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9532
请登录查看更多情报信息。
Proof of Concept for CVE-2026-9532 (1)
Same Patch Batch · Totolink · 2026-05-26 · 5 CVEs total
| CVE-2026-9543 | 9.8 CRITICAL | Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection |
| CVE-2026-9534 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os command injection |
| CVE-2026-9533 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection |
| CVE-2026-9531 | 6.3 MEDIUM | Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os command injection |
IV. Related Vulnerabilities
Same product: CA750-PoE
- CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9533
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os c - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os - CVE-2026-9514
Totolink CA750-PoE Setting cstecgi.cgi setNetworkDiag os com
Same vendor: Totolink
- CVE-2026-9543
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os - CVE-2026-9534
Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os c - CVE-2026-9533
Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os c - CVE-2026-9531
Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os co - CVE-2026-9515
Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os
Same weakness: CWE-78
- CVE-2026-44345
BentoML: Dockerfile command injection via docker.base_image - CVE-2026-44346
BentoML: Dockerfile command injection via envs[*].name in be - CVE-2026-40852
Command injection via malicious configuration - CVE-2026-8450
HTTP::Daemon versions before 6.17 for Perl allow OS command - CVE-2026-9207
Tanium addressed an unauthorized code execution vulnerabilit
V. Comments for CVE-2026-9532
No comments yet