CVE-2026-1460: A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zy

Description

A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.

Affected Products

Vendor	Product	Versions
zyxel	dx3301-t0 firmware	<= 5.50(ABVY.7.1)C0, <= 5.50(ABVY.7.1)C0

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026(vendor-advisory)

Related News (1 articles)

Tier C

VulDB12h ago

CVE-2026-1460 | Zyxel DX3301-T0/EX3301-T0 up to 5.50(ABVY.7.1)C0 Configuration File DomainName os command injection

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026

CWECWE-78

PublishedApr 28, 2026

Last enriched12h agov2

Trending Score49

Source articles1

Independent1

CVE-2026-1460: A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zy

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (5)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History