July 13, 2026 Security Vulnerability Roundup: Takeovers in a Wireless Router and Industrial Gear — Does It Affect You?
A roundup of three July 13, 2026 vulnerabilities rated 9.0 or higher. The Comfast wireless router can be taken over with no login yet has no fix, the WAGO industrial device has a hidden feature, and the Centreon monitoring tool has a critical flaw. Most target product operators. Also covers the same-day LINE bug so you can check what affects you.
Table of contents
A roundup of three July 13, 2026 vulnerabilities rated 9.0 or higher. The Comfast wireless router can be taken over with no login yet has no fix, the WAGO industrial device has a hidden feature, and the Centreon monitoring tool has a critical flaw. Most target product operators. Also covers the same-day LINE bug so you can check what affects you.
This article rounds up, in one place, the vulnerabilities disclosed on July 13, 2026 in the global vulnerability database (NVD) and Japan's JVN that we chose not to cover as standalone breaking news. This day brought three serious flaws aimed at people who operate a specific product: a wireless router, industrial control gear, and a system-monitoring tool. The severity numbers are high, but the smartphones and web services ordinary consumers use every day are not directly targeted. Check here whether a product you use is on the list.
Note that the item found the same day whose user base in Japan is on a different scale — urgent enough to "update now" — got its own article: the LINE for iOS bug (CVE-2026-3861 / severity 7.1), which can briefly make an iPhone unresponsive when you open a link. Below are the rest — the three critical items rated 9.0 or higher (out of 10), ordered by how much they stood out. The previous day's list is in our July 12 security vulnerability roundup.
Today's "check now" item we covered individually
First, here is the item we covered as a standalone article during the day. Because it has a very large user base in Japan, check it promptly if it applies to you.
- ・LINE for iOS bug (CVE-2026-3861 / severity 7.1): opening a crafted link pops confirmation dialogs repeatedly and briefly makes the iPhone unresponsive. It does not steal information, and updating the app to 26.3.0 or later fixes it.
The day's severity-9-plus items: three in a router, industrial gear, and a monitoring tool
Three items disclosed on July 13 were rated 9.0 or higher. All target people who install and operate the product themselves, not something ordinary users touch as-is. That said, wireless routers do end up in homes and shops, so we go through them in order. Severity is out of 10.
| CVE | Product | What happens | Severity | Prerequisite | Status |
|---|---|---|---|---|---|
| CVE-2026-15511 | Comfast CF-WR631AX | Command injection → device takeover | 9.8 | No login | No fix No known abuse |
| CVE-2026-4769 | WAGO System I/O Field | Hidden feature → internal access | 9.8 | No login (early boot only) | Response in progress No known abuse |
| CVE-2026-14453 | Centreon (open-tickets) | Template injection → code execution | 9.6 | Login required | Fix available No known abuse |
CVE-2026-15511: "Comfast CF-WR631AX" wireless router taken over with no login
Comfast is a Chinese-vendor brand of wireless routers and access points for small offices and homes. The flaw lies in the device management routine that receives image files (an internal function called `system_wl_upload_pic_file`): it does not adequately check externally supplied strings and runs them as commands inside the device — a technique known as OS command injection. No login is required, the device can be taken over at administrator level, and severity is 9.8. The trouble is that the vendor has not responded to inquiries, and no fix is in sight. The brand is not widely distributed in Japan, but if you use this model, configure it so it cannot be reached directly from the internet, or consider replacing it.
CVE-2026-4769: "WAGO System I/O Field" industrial gear has a hidden door open only at boot
WAGO is a German maker of industrial gear that controls equipment in factories and plants. The flaw is that the affected devices have an undocumented diagnostic feature that, for a brief window right after power-on, allows access to internal processes with no login (a class of issue called hidden functionality). Severity is a high 9.8, but abuse is limited to just after startup, so a real attack requires reaching the device at the moment it reboots. It targets engineers who handle control systems and has no point of contact with ordinary users. Germany's CERT@VDE is coordinating the response; if you operate the affected gear, follow the vendor's guidance.
CVE-2026-14453: "Centreon" monitoring tool allows code execution after login
Centreon is an enterprise system-monitoring tool (made in France) that watches the status of servers and network gear in one place. The flaw is in the ticket-integration add-on (open-tickets): it passed input strings to the display mechanism (Smarty) without validation, so a crafted string can run arbitrary programs on the server — a technique known as template injection. Severity is 9.6, but abuse requires a login to Centreon, so it is not an out-of-the-blue remote takeover. It is fixed in versions 24.10.14 and 25.10.9. If you run Centreon as your monitoring platform, check for the update.
Also worth noting, under certain conditions
Besides the three above, severity-8.8 network-device flaws were disclosed the same day. All require a login to the device to exploit, so they are not instant takeovers. Tenda's "CH22" router (CVE-2026-15543) has a buffer overflow (oversized data sent in to make a program malfunction) in the routine handling the settings page's certificate list. The router aftermarket firmware "Tomato (Shibby build)" has two similar flaws (CVE-2026-15544 and CVE-2026-15545) in its power-management add-on (apcupsd). Tomato is old firmware whose development has since been taken over, and migrating to the successor (FreshTomato) is recommended. Usage in Japan is limited; take note only if you run the affected gear.
Separately, Japan's JVN also disclosed the same day a flaw in the standard download tool "GNU Wget" (CVE-2026-15146 / severity 5.9). When connecting via an older method (FTP), it does not verify the connection's destination and can be hijacked by an attacker, but severity is moderate and it basically does not trigger under today's common usage (fetching over HTTPS). Only if you use Wget with the older method in development or operations, check the vendor's update notice.
Bottom line: what ordinary users must act on today
The three severity-9.0-or-higher items disclosed on July 13 all target people who install and operate a specific product; the smartphones and web services ordinary consumers use are not directly targeted. Ordinary users generally do not need to do anything right now because of this list. If anything, the Comfast wireless router (severity 9.8) has no fix and can be taken over with no login, so if you use the affected model in a home or shop, consider replacing it.
The item most relevant to ordinary users this day is the one we covered separately, the LINE for iOS bug (CVE-2026-3861). It does not steal information, and updating the app to the latest version fixes it, so it is worth getting that done early. Vulnerabilities seen under active attack can be tracked in the U.S. CISA alert list (KEV dashboard, Japanese edition), but none of the day's three is listed yet. If you run servers or AI setups yourself, also consider a scheme to inventory the flaws in the parts you have adopted, covered in our guide to open-source (supply-chain) component checks. The previous day's list is in the July 12 roundup.
References
- â–¸NVD - CVE-2026-15511 (Comfast CF-WR631AX)
- â–¸NVD - CVE-2026-4769 (WAGO System I/O Field)
- â–¸CERT@VDE - WAGO Advisories
- â–¸NVD - CVE-2026-14453 (Centreon open-tickets)
- â–¸NVD - CVE-2026-15543 (Tenda CH22)
- â–¸NVD - CVE-2026-15544 (Shibby Tomato)
- â–¸NVD - CVE-2026-15545 (Shibby Tomato)
- â–¸JVN - JVNVU94203999 (GNU Wget / CVE-2026-15146)

Makoto Horikawa
Backend Engineer / AWS / Django