Command Injection Vulnerability in TOTOLINK N200RE V5
CVE-2026-36841

9.8CRITICAL

Key Information:

Vendor: TOTOLINK
Status: N200RE V5
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-36841?

The TOTOLINK N200RE V5 router has been identified with a command injection vulnerability that allows remote attackers to execute arbitrary commands on the system. This vulnerability is exploited through the 'macstr' and 'bandstr' parameters in the 'formMapDelDevice' function. An attacker can craft specially designed requests to manipulate the router's command execution, potentially leading to unauthorized access and control over the device. It is crucial for users of this product to implement necessary security measures and keep their firmware updated to mitigate the risks associated with this vulnerability.

References

https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-36841 Data

JSON