OS Command Injection in Comfast CF-WR631AX V3 Due to FastCGI Backend Flaw
CVE-2026-15511
Key Information:
- Vendor
Comfast
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15511?
An OS command injection vulnerability exists in the Comfast CF-WR631AX V3, specifically in the system_wl_upload_pic_file function within the FastCGI Backend component. This vulnerability arises due to improper handling of the filename argument in the webmgnt interface, allowing an attacker to execute arbitrary commands on the system. The vulnerability can be exploited remotely, posing significant security risks. The vendor has been alerted about the issue but has not provided a response.
Affected Version(s)
CF-WR631AX V3 2.7.0.0
CF-WR631AX V3 2.7.0.1
CF-WR631AX V3 2.7.0.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
