OS Command Injection Vulnerability in WDR201A WiFi Extender by YEAPOOK
CVE-2026-41922

9.3CRITICAL

Key Information:

Vendor

Shenzhen Yipu Commercial And Trading Co., Ltd

Status
Wdr201a Wifi Extender
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-41922?

The WDR201A WiFi Extender from YEAPOOK is susceptible to an OS command injection vulnerability via the wireless.cgi binary. This defect allows remote attackers, without authentication, to execute arbitrary shell commands by submitting malicious input to the sz11gChannel or PIN POST parameters. The vulnerability arises from inadequate sanitization of input parameters in the set_wifi_basic and set_wifi_do_wps functions, enabling the potential for remote code execution.

Affected Version(s)

WDR201A WiFi Extender 0 <= 1.02

References

https://mstreet97.github.io/security-research/iot/vulnera...
technical-descriptionexploit
https://www.made-in-china.com/showroom/yeapook/#:~:text=E...
product
https://www.vulncheck.com/advisories/wdr201a-wifi-extende...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Strada
Daniele Berardinelli
.