Description
A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.343675
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.343675
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.742439
Exploit, Third Party Advisory exploit
https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link
Product product
https://www.dlink.com/
Scores
CVSS v3
2.4
EPSS
0.0005
EPSS Percentile
15.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (1)
dlink/dsl-6641k_firmware
n8.tr069.20131126
Published
Feb 02, 2026
Tracked Since
Feb 18, 2026