CVE-2026-4209
Severity CVSS v4.0:
MEDIUM
Type:
CWE-74
Injection
Publication date:
16/03/2026
Last modified:
16/03/2026
Description
A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function cgi_create_import_users/cgi_user_batch_create/cgi_user_set_quota/cgi_user_del/cgi_user_modify/cgi_group_set_quota/cgi_group_modify/cgi_group_add/cgi_user_add/cgi_get_modify_group_info/cgi_chg_admin_pw of the file /cgi-bin/account_mgr.cgi. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
6.30
Severity 3.x
MEDIUM
Base Score 2.0
6.50
Severity 2.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_148/148.md
- https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_149/149.md
- https://vuldb.com/?ctiid_351120=
- https://vuldb.com/?id_351120=
- https://vuldb.com/?submit_770429=
- https://vuldb.com/?submit_770430=
- https://vuldb.com/?submit_770431=
- https://vuldb.com/?submit_770432=
- https://vuldb.com/?submit_770433=
- https://vuldb.com/?submit_770434=
- https://vuldb.com/?submit_770435=
- https://vuldb.com/?submit_770436=
- https://vuldb.com/?submit_770437=
- https://vuldb.com/?submit_770438=
- https://www.dlink.com/