CVE-2026-8273

MEDIUM

D-Link DNS-320 system_mgr.cgi cgi_merge_user os command injection

Title source: cna
STIX 2.1

Description

A weakness has been identified in D-Link DNS-320 2.06B01. This impacts the function cgi_set_host/cgi_set_ntp/cgi_fan_control/cgi_merge_user of the file /cgi-bin/system_mgr.cgi. This manipulation causes os command injection. It is possible to initiate the attack remotely.

References (5)

Core 5
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-362570 | D-Link DNS-320 system_mgr.cgi cgi_merge_user os command injection
https://vuldb.com/vuln/362570
Signature, Permissions Required signature permissions-required
VDB-362570 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/362570/cti
Third Party Advisory third-party-advisory
Submit #810082 | D-Link Corporation DNS-320 ShareCenter NAS (Rev.A) Firmware 2.06B01 HOTFIX CWE-78: OS Command Injection
https://vuldb.com/submit/810082
Product product
https://www.dlink.com/

Scores

CVSS v3 4.7
EPSS 0.0012
EPSS Percentile 30.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-77 CWE-78
Status published
Products (2)
D-Link/DNS-320 2.06B01
dlink/dns-320_firmware 2.06b01
Published May 11, 2026
Tracked Since May 11, 2026