CVE-2026-26795 is a critical command injection vulnerability affecting the GL-iNet GL-AR300M16 router running firmware version 4.3.11. The vulnerability resides in the M.get_system_log function, specifically through the module parameter, which fails to properly sanitize user input. This allows an attacker to inject arbitrary commands that the system executes with the privileges of the affected service, potentially leading to full system compromise. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score of 9.8 reflects its critical nature, with attack vector being network-based, low attack complexity, no privileges required, and no user interaction needed. The impact includes complete compromise of confidentiality, integrity, and availability of the device. The underlying weakness corresponds to CWE-77, indicating improper neutralization of special elements in commands or queries. Although no public exploits have been reported yet, the vulnerability’s characteristics make it highly exploitable. The GL-iNet GL-AR300M16 is a widely used compact router, often deployed in small offices, home networks, and IoT environments, increasing the potential attack surface. Lack of available patches at the time of disclosure further elevates the risk.

The exploitation of CVE-2026-26795 can lead to complete compromise of affected GL-iNet GL-AR300M16 devices. Attackers can execute arbitrary commands remotely without authentication, enabling them to take full control of the router. This can result in interception or manipulation of network traffic, deployment of malware or ransomware, pivoting to internal networks, and disruption of network availability. Organizations relying on these routers for critical connectivity or IoT device management face risks of data breaches, operational downtime, and loss of network integrity. The vulnerability’s ease of exploitation and high severity make it a prime target for attackers seeking to establish persistent footholds or conduct espionage. The absence of known exploits currently does not reduce the threat, as proof-of-concept code may emerge rapidly. The impact extends to confidentiality, integrity, and availability, potentially affecting business continuity and trust in network infrastructure.

1. Immediately isolate affected GL-iNet GL-AR300M16 devices from untrusted networks until a patch or firmware update is available. 2. Monitor network traffic for unusual command execution patterns or unexpected outbound connections originating from these devices. 3. Implement network segmentation to limit exposure of vulnerable routers to critical internal systems. 4. Employ strict access control lists (ACLs) and firewall rules to restrict management interface access to trusted IP addresses only. 5. Regularly check GL-iNet official channels for firmware updates or security advisories addressing this vulnerability. 6. If patching is not immediately possible, consider replacing affected devices with models not impacted by this vulnerability. 7. Conduct thorough audits of network devices for signs of compromise, especially focusing on routers with similar firmware versions. 8. Educate network administrators about the risks of command injection vulnerabilities and the importance of input validation in device management interfaces.