Back to overview

CVE-2026-15511

CRITICAL
9.8
CVSS 3.1
Description
A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID
CVE-2026-15511
State
PUBLISHED
Assigner
VulDB
Reserved
2026-07-12 06:00 UTC
Published
2026-07-12 23:00 UTC
Last updated
2026-07-12 23:00 UTC
Primary CWE
CWE-78
OS Command Injection
Vendor / Product
Comfast / CF-WR631AX V3
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
Affected products (1)
VendorProductPlatformVersions
Comfast CF-WR631AX V3 2.7.0.0, 2.7.0.1, 2.7.0.2, 2.7.0.3 …
Weakness (CWE)
CWESourceDescription
CWE-77 cna Command Injection
CWE-78 cna OS Command Injection
CVSS scores (4)
ScoreSeverityVersionSourceVector
10.0 N/D 2.0 cna AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
9.8 CRITICAL 3.0 cna CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References (5)
Back to overview