OS Command Injection in Comfast CF-WR631AX V3 Due to FastCGI Backend Flaw
CVE-2026-15511

9.3CRITICAL

Key Information:

Vendor

Comfast

Vendor
CVE Published:
12 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-15511?

An OS command injection vulnerability exists in the Comfast CF-WR631AX V3, specifically in the system_wl_upload_pic_file function within the FastCGI Backend component. This vulnerability arises due to improper handling of the filename argument in the webmgnt interface, allowing an attacker to execute arbitrary commands on the system. The vulnerability can be exploited remotely, posing significant security risks. The vendor has been alerted about the issue but has not provided a response.

Affected Version(s)

CF-WR631AX V3 2.7.0.0

CF-WR631AX V3 2.7.0.1

CF-WR631AX V3 2.7.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

luminarydawn (VulDB User)
VulDB CNA Team
.