CVE-2026-4197 - Vulnerability Details

A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function RSS_Get_Update_Status/RSS_Update/RSS_Channel_AutoDownlaod/RSS_Add/RSS_Channel_Item_Downlaod/RSS_History_Item_List/RSS_Item_List of the file /cgi-bin/download_mgr.cgi. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_102/102.md
https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_103/103.md
https://vuldb.com/?ctiid.351109
https://vuldb.com/?id.351109
https://vuldb.com/?submit.769864
https://vuldb.com/?submit.769865
https://vuldb.com/?submit.769866
https://vuldb.com/?submit.769867
https://vuldb.com/?submit.769868
https://vuldb.com/?submit.769869
https://vuldb.com/?submit.769870
https://vuldb.com/?submit.770363
https://vuldb.com/?submit.770364
https://www.dlink.com/

History

Mon, 16 Mar 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function RSS_Get_Update_Status/RSS_Update/RSS_Channel_AutoDownlaod/RSS_Add/RSS_Channel_Item_Downlaod/RSS_History_Item_List/RSS_Item_List of the file /cgi-bin/download_mgr.cgi. The manipulation results in command injection. The attack may be performed from remote. The exploit has been made public and could be used.
Title		D-Link DNS-1550-04 download_mgr.cgi RSS_Item_List command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_102/102.md https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_103/103.md https://vuldb.com/?ctiid.351109 https://vuldb.com/?id.351109 https://vuldb.com/?submit.769864 https://vuldb.com/?submit.769865 https://vuldb.com/?submit.769866 https://vuldb.com/?submit.769867 https://vuldb.com/?submit.769868 https://vuldb.com/?submit.769869 https://vuldb.com/?submit.769870 https://vuldb.com/?submit.770363 https://vuldb.com/?submit.770364 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-15T23:32:15.445Z

Updated: 2026-03-15T23:32:15.445Z

Reserved: 2026-03-15T08:22:57.970Z

Link: CVE-2026-4197

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object