Command Injection Vulnerability in ToToLink A3300R Firmware
CVE-2026-31170

Currently unrated

Key Information:

Vendor: ToToLink
Status: A3300R Firmware
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-31170?

A command injection vulnerability has been identified in ToToLink A3300R firmware, specifically in version 17.0.0cu.557_B20221024. The vulnerability arises from improper validation of the stun-pass parameter in the /cgi-bin/cstecgi.cgi component, allowing attackers to execute arbitrary commands on the affected device. This flaw poses significant risks, as it can be exploited remotely to gain unauthorized access or disrupt the device's normal operations.

References

https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolin...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31170 Data

JSON