CVE-2026-36741 - Vulnerability Details

U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands through crafted input fields. These commands are executed with elevated privileges, leading to potential full system compromise.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/N0tMilk/vulnerability-research
https://github.com/N0tMilk/vulnerability-research/tree/main/IoT/CVE-2026-36741

History

Wed, 13 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. An authenticated user with permission to configure NTP settings can inject arbitrary system commands through crafted input fields. These commands are executed with elevated privileges, leading to potential full system compromise.
References		https://github.com/N0tMilk/vulnerability-research https://github.com/N0tMilk/vulnerability-research/tree/main/IoT/CVE-2026-36741

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-13T00:00:00.000Z

Updated: 2026-05-13T15:37:12.349Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36741

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:40.840

Modified: 2026-05-13T16:27:36.223

Link: CVE-2026-36741

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object