CVE-2026-12186

CVE Database · CVE-2026-12186

CVE-2026-12186

· HIGHReceived

CVSS v3.1

8.8

CVSS v4.0

7.4

EPSS

2.02%

Published

Jun 14, 2026

Modified

Jun 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function replace_country in the library /usr/lib/oui-httpd/rpc/tor of the component Tor Proxy Service Configuration Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 4.7 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74CWE-77

References (6)

https://fw.gl-inet.com/firmware/mt3000/release/mt3000-4.8.1-0819-1755615825.tar

https://github.com/StrTzz123/iot_vul/blob/main/GL-iNet/MT3000/4.4.5/tor_set_config/Readme.md

https://vuldb.com/cve/CVE-2026-12186

https://vuldb.com/submit/815579

https://vuldb.com/vuln/370832

https://vuldb.com/vuln/370832/cti

KEV Catalog EPSS Scores Vendors All CVEs