CVE-2026-4210
MEDIUMD-Link DNS-1550-04 time_machine.cgi cgi_tm_set_share command injection
Title source: cnaDescription
A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-351121 | D-Link DNS-1550-04 time_machine.cgi cgi_tm_set_share command injection
https://vuldb.com/?id.351121
Signature, Permissions Required signature
permissions-required
VDB-351121 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/?ctiid.351121
Third Party Advisory third-party-advisory
Submit #770440 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Command Injection
https://vuldb.com/?submit.770440
Broken Link, Product broken-link
product
https://www.dlink.com/
Scores
CVSS v3
6.3
EPSS
0.0356
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (40)
D-Link/DNR-202L
20260205
D-Link/DNR-322L
20260205
D-Link/DNR-326
20260205
D-Link/DNS-1100-4
20260205
D-Link/DNS-120
20260205
D-Link/DNS-1200-05
20260205
D-Link/DNS-1550-04
20260205
D-Link/DNS-315L
20260205
D-Link/DNS-320
20260205
D-Link/DNS-320L
20260205
... and 30 more
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026