{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31176", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-23T18:43:43.726Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T18:43:43.726Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T17:48:13.786801Z", "id": "CVE-2026-31176", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T17:48:16.346Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31176", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T17:48:13.786801Z"}}}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T17:48:09.408Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T18:43:43.726Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31176", "state": "PUBLISHED", "dateUpdated": "2026-04-23T18:43:43.726Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*", "matchCriteriaId": "DD39B647-3419-4C6D-A6A2-30F40822A27D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F723A73-4B32-4F9E-B5DA-80134D4711C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi."}], "id": "CVE-2026-31176", "lastModified": "2026-04-24T15:12:13.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T18:16:24.857", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-user-cmd-injection"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "17.0.0cu.557_B20221024"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "a3300r_firmware", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-28T15:06:53.553475+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of the firmware that contains the fix for the command injection flaw.", "Fail\u2011over by blocking or restricting access to the /cgi-bin/cstecgi.cgi endpoint and the stun_user parameter via network firewalls or ACLs.", "If the policy allows, modify the CGI to remove or sanitize the stun_user input to eliminate the injection vector."], "summary": {"action": "Update Firmware", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ToToLink A3300R devices running firmware version 17.0.0cu.557_B20221024. No other affected product versions are publicly documented.", "description_and_impact": "A command injection flaw exists in the /cgi-bin/cstecgi.cgi handler of ToToLink A3300R firmware, which allows an attacker to supply an arbitrary string in the stun_user parameter and execute arbitrary OS commands on the device. This vulnerability can compromise confidentiality, integrity, and availability by enabling a malicious user to take full control of the router.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability that the flaw will be actively exploited in the near term, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be remote over the network, as the vulnerable CGI endpoint is accessible via standard HTTP requests. If an attacker can reach the device, they can invoke arbitrary commands and potentially compromise the entire system."}}}}, "created": "2026-04-27T19:15:11.635705+00:00", "title": "Stun User Parameter Command Injection in ToToLink A3300R Firmware", "updated": "2026-04-28T15:15:34.203128+00:00", "vendors": ["totolink", "totolink$PRODUCT$a3300r_firmware"]}