CVE-2026-11406
Published: Sat, 06 Jun 2026 10:16
Summary
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation cause
Details
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."
Are YOU affected by CVE-2026-11406?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-11406 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://fw.gl-inet.cn/firmware/mt3000/testing/mt3000-4.9.0_beta3-1012-0513-1778656146.tar
- https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/ovpn_client_import
- https://vuldb.com/cve/CVE-2026-11406
- https://vuldb.com/submit/820049
- https://vuldb.com/vuln/368966
- https://vuldb.com/vuln/368966/cti
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.