There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12
[
{
"product": "Xiaomi Router AX3600",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Xiaomi RouterAX3600 rom versionrom< 1.1.12"
}
]
}
]