CVE-2026-36956

Daily digests

Same story, different router. The Dbit N300 T1 Pro V1.0.0 ships with no CSRF tokens or origin validation on its admin API. An attacker can trick a logged-in admin into visiting a crafted page that silently fires requests to endpoints like /api/setWlan, changing wireless settings or anything else the admin can do. No user interaction beyond visiting the malicious page is required.

• Daily Digest · May 1, 2026

  WordPress auth bypass, CVSS 9.8, no creds needed