CVE-2026-13545
HIGHD-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection
Title source: cnaDescription
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-374553 | D-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection
https://vuldb.com/vuln/374553
Signature, Permissions Required signature
permissions-required
VDB-374553 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/374553/cti
Third Party Advisory third-party-advisory
CVE-2026-13545 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-13545
Third Party Advisory third-party-advisory
Submit #842589 | D-Link DCS-935L HD Wi-Fi Camera 1.10.01 CWE-78: OS Command Injection
https://vuldb.com/submit/842589
Exploit exploit
https://github.com/Real-Simplicity/cve-database/tree/main/CVE_Report_DLink_DCS935L_Command_Injection
Product product
https://www.dlink.com/
Scores
CVSS v3
8.8
EPSS
0.0271
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
CWE-78
Status
published
Products (2)
D-Link/DCS-935L
1.10.01
dlink/dcs-935l_firmware
1.10.01
Published
Jun 29, 2026
Tracked Since
Jun 29, 2026