OS Command Injection Vulnerability in WDR201A WiFi Extender from Yeapook
CVE-2026-41926

9.3CRITICAL

Key Information:

Vendor

Shenzhen Yipu Commercial And Trading Co., Ltd

Status
Wdr201a Wifi Extender
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-41926?

The WDR201A WiFi Extender features a severe OS command injection vulnerability within the firewall.cgi binary, affecting several request handlers due to inadequate input validation. Attackers can exploit this weakness by injecting arbitrary shell commands through vulnerable parameters such as websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter. This manipulation allows malicious payloads to be saved in NVRAM, where they can persist and execute with every subsequent request to firewall.cgi, posing a significant risk to user security.

Affected Version(s)

WDR201A WiFi Extender 0 <= 1.02

References

https://mstreet97.github.io/security-research/iot/vulnera...
technical-descriptionexploit
https://www.made-in-china.com/showroom/yeapook/#:~:text=E...
product
https://www.vulncheck.com/advisories/wdr201a-wifi-extende...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matteo Strada
.