CVE-2026-8273 - Vulnerability Analysis
MediumCVSS: 4.7Last Updated: May 11, 2026
D-Link DNS-320 - Command Injection
Published: May 11, 2026Updated: May 11, 2026PoC AvailableRemote Exploitable
Overview
D-Link DNS-320 2.06B01 contains a command injection caused by manipulation of cgi_set_host/cgi_set_ntp/cgi_fan_control/cgi_merge_user functions in /cgi-bin/system_mgr.cgi, letting remote attackers execute OS commands, exploit requires network access.
Severity & Score
Severity: Medium
CVSS Score: 4.7
Impact
Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
Mitigation
Update to the latest firmware version available from D-Link.
References
- https://www.dlink.com/
- https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md
- https://vuldb.com/submit/810082
- https://vuldb.com/vuln/362570
- https://vuldb.com/vuln/362570/cti
Related Resources
Details
- CVE ID
- CVE-2026-8273
- Severity
- Medium
- CVSS Score
- 4.7
- Type
- command_injection
- Status
- confirmed
CWE
- CWE-77
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L