CVE-2026-36960: n/a
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.
AI Analysis
Technical Summary
This vulnerability affects the U-SPEED N300 Router V1.0.0 and arises from missing CSRF protections in its web management interface. Without mechanisms like anti-CSRF tokens or strict Origin/Referer checks, the router's administrative API endpoints are susceptible to forged HTTP requests. If an authenticated administrator visits a malicious webpage, the browser includes the valid session cookie, enabling the attacker to execute unauthorized administrative commands via the router's interface.
Potential Impact
An attacker can perform unauthorized administrative actions on the affected router by exploiting the CSRF vulnerability. This could lead to unauthorized configuration changes, potentially compromising the router's security or network settings. There is no information about known exploits in the wild or specific impacts beyond the ability to perform administrative actions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid visiting untrusted websites while authenticated to the router's management interface. Network segmentation or restricting access to the management interface may reduce exposure. Monitor vendor communications for updates regarding official patches or mitigations.
CVE-2026-36960: n/a
Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the U-SPEED N300 Router V1.0.0 and arises from missing CSRF protections in its web management interface. Without mechanisms like anti-CSRF tokens or strict Origin/Referer checks, the router's administrative API endpoints are susceptible to forged HTTP requests. If an authenticated administrator visits a malicious webpage, the browser includes the valid session cookie, enabling the attacker to execute unauthorized administrative commands via the router's interface.
Potential Impact
An attacker can perform unauthorized administrative actions on the affected router by exploiting the CSRF vulnerability. This could lead to unauthorized configuration changes, potentially compromising the router's security or network settings. There is no information about known exploits in the wild or specific impacts beyond the ability to perform administrative actions.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should avoid visiting untrusted websites while authenticated to the router's management interface. Network segmentation or restricting access to the management interface may reduce exposure. Monitor vendor communications for updates regarding official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-06T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f376fbcbff5d86103580cd
Added to database: 4/30/2026, 3:36:27 PM
Last enriched: 4/30/2026, 3:52:03 PM
Last updated: 4/30/2026, 5:56:26 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.