CVE-2026-34473: Pre-auth ZTE H-series router DoS via CGILua request-body parsing

The post discloses a pre-authentication Denial-of-Service (DoS) vulnerability in ZTE H-series routers, assigned CVE-2026-34473. The issue stems from improper handling of application/x-www-form-urlencoded POST data in CGILua request-body parsing, allowing attacker-controlled input to bypass login enforcement. The writeup includes firmware analysis, validation footage, affected models, a disclosure timeline, and decompiled parser evidence. The author seeks feedback on the root-cause analysis from embedded web stack or router firmware reviewers.