CVE-2026-4210

MEDIUM

D-Link DNS-1550-04 time_machine.cgi cgi_tm_set_share command injection

Title source: cna

Description

A security flaw has been discovered in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this vulnerability is the function cgi_tm_set_share of the file /cgi-bin/time_machine.cgi. The manipulation of the argument Name results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/?id.351121

[Signature, Permissions Required] https://vuldb.com/?ctiid.351121

[Third Party Advisory] https://vuldb.com/?submit.770440

[Exploit] https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_159/159.md

View Exploit ZIP pw:eip

[Broken Link, Product] https://www.dlink.com/

Scores

CVSS v3 6.3

EPSS 0.0013

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-77

Status published

Products (40)

D-Link/DNR-202L 20260205

D-Link/DNR-322L 20260205

D-Link/DNR-326 20260205

D-Link/DNS-1100-4 20260205

D-Link/DNS-120 20260205

D-Link/DNS-1200-05 20260205

D-Link/DNS-1550-04 20260205

D-Link/DNS-315L 20260205

D-Link/DNS-320 20260205

D-Link/DNS-320L 20260205

... and 30 more

Published Mar 16, 2026

Tracked Since Mar 16, 2026