OS Command Injection Vulnerability in DrayTek Vigor 300B Web Management Interface
CVE-2026-3040

5.1MEDIUM

Key Information:

Vendor: Draytek
Status: Vigor 300b
Vendor: CVE Published:; 23 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-3040?

A vulnerability exists in the DrayTek Vigor 300B's web management interface, specifically within the cgiGetFile function of the /cgi-bin/mainfunction.cgi/uploadlangs component. This security flaw allows for OS command injection through the manipulation of the File parameter, enabling remote attackers to execute arbitrary commands. The affected product version, 1.5.1.6, is no longer supported by DrayTek, which has confirmed it will not issue a patch for this vulnerability. As such, users should be aware of the risks associated with using this EoL product and take appropriate measures to secure their networks.

Affected Version(s)

Vigor 300B 1.5.1.0

Vigor 300B 1.5.1.1

Vigor 300B 1.5.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3040 - Proof of Concept

References

https://vuldb.com/?id.347394

vdb-entrytechnical-description

https://vuldb.com/?ctiid.347394

signaturepermissions-required

https://vuldb.com/?submit.757126

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 23, 2026
👾
Exploit known to exist
Feb 23, 2026
Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Feb 23, 2026

Credit

jiefengliang (VulDB User)

CVE-2026-3040 Data

JSON

Draytek