GL.iNet GL-MT3000 Minidlna Service rpc realpath command injection
CVE-2026-11448

5.1MEDIUM

Key Information:

Vendor: Gl.inet
Status: Gl-mt3000
Vendor: CVE Published:; 7 June 2026

What is CVE-2026-11448?

A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".

Affected Version(s)

GL-MT3000 4.4.0

GL-MT3000 4.4.1

GL-MT3000 4.4.2

References

https://vuldb.com/vuln/369068

vdb-entrytechnical-description

https://vuldb.com/vuln/369068/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-11448

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2026
Vulnerability Reserved
Jun 6, 2026

Credit

strforexc (VulDB User)

VulDB CNA Team

CVE-2026-11448 Data

JSON