← Achievements

CVE-2026-26213: thingino-firmware Unauthenticated Command Injection in Captive Portal

📅 2026-03-15 📂 Vulnerability Discovery ⏱ 1 min read CVSS 8.7

CVECommand InjectionRCEIoTFirmwarethingino

CVSS

8.7 HIGH

TL;DR:

Unauthenticated OS command injection in the WiFi captive portal API endpoint (api.cgi) of thingino-firmware allows any device on the camera's AP to execute arbitrary commands as root, achieving full device compromise.

Summary

Discovered an unauthenticated OS command injection vulnerability in thingino-firmware, an open-source firmware for Ingenic SoC-based IP cameras. The vulnerability allows arbitrary command execution as root without any credentials.

CVE ID: CVE-2026-26213
Advisory: VulnCheck — thingino-firmware api.cgi
CWE: CWE-78 — OS Command Injection
Affected Versions: thingino-firmware ≤ commit e3f6a41
Patched Versions: firmware-2026-03-15

Impact

Unauthenticated remote code execution as root via the local WiFi network
Persistent device compromise that survives reboots and password changes
Exfiltration of sensitive files, video feeds, and stored credentials

CVE-2026-26213: thingino-firmware Unauthenticated Command Injection in Captive Portal

Summary

Impact

References