CVE-2026-24697

An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The wan_hostname configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.

Published: 2026-07-08 Last update: 2026-07-08 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2026-24697 is rated Risk Under Review. Mandatory action: Scoring and exploitation signals are still pending—keep following this page for CVSS or EPSS updates, then reassess remediation priority once scores appear.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-24697

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

EPSS has not published a score for this CVE yet—common while NVD analysis or FIRST scoring is still pending. Monitor daily updates and reassess once scores appear.

Common vulnerability scoring system (CVSS) metrics for CVE-2026-24697

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-24697

GitHub Security Advisory for CVE-2026-24697

GHSA-5wp9-987m-q7mf · Severity: unknown — An OS command injection vulnerability exists in the start_bonjour() function of the "rc" binary...

Affected software / configurations for CVE-2026-24697

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2026-24697

cvelogic Threat Intelligence