HB
GL.iNet Beryl AX Triple RCE: CVE-2026-11450/11451/11452 — Unauthenticated Root on a Travel Router
Introduction
On June 7, 2026, three critical command injection vulnerabilities were published against the GL.iNet GL-MT3000 — better known as the Beryl AX, one of the most popular pocket-sized travel routers on the market. All three share a single devastating root cause: the rou…