CVE-2021-45876
Description
Multiple versions of GARO Wallbox GLB/GTB/GTC are affected by unauthenticated command injection. The url parameter of the function module downloadAndUpdate is vulnerable to an command Injection. Unfiltered user input is used to generate code which then gets executed when downloading new firmware.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- GARO/Wallbox GLB/GTB/GTCdescription
Patches
Vulnerability mechanics
Root cause
"Unfiltered user input in the url parameter of the downloadAndUpdate function is used to generate code that gets executed, enabling command injection."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the `downloadAndUpdate` function, injecting arbitrary commands via the `url` parameter. Because the user input is used directly to generate executable code, the injected commands run with the privileges of the web server process [ref_id=1]. No authentication or prior access is required, making the attack remotely exploitable over the network.
Affected code
The vulnerability resides in the `downloadAndUpdate` function module of the GARO Wallbox GLB/GTB/GTC web interface. The `url` parameter is passed unfiltered into code that is executed when downloading new firmware [ref_id=1]. No patch files are available in the bundle.
What the fix does
No patch is published in the bundle. The advisory states that the vendor (GARO) was contacted twice but did not reply, and no fixed version was confirmed [ref_id=1]. The recommended remediation would be to sanitize or validate the `url` parameter before using it in code generation, and to implement proper access controls on the management interface.
Preconditions
- authNo authentication required
- networkNetwork access to the GARO Wallbox web interface
- inputThe downloadAndUpdate endpoint must be reachable
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/delikely/advisory/tree/main/GAROmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.