CVE-2026-8273

A weakness has been identified in D-Link DNS-320 2.06B01. This impacts the function cgi_set_host/cgi_set_ntp/cgi_fan_control/cgi_merge_user of the file /cgi-bin/system_mgr.cgi. This manipulation causes os command injection. It is possible to initiate the attack remotely.

CVSS v3 4.7 MEDIUM
CVSS v2.0 5.8 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:M/C:P/I:P/A:P

Exploitability : 6.4 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication MULTIPLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md	Exploit Third Party Advisory
https://vuldb.com/submit/810082	Third Party Advisory VDB Entry
https://vuldb.com/vuln/362570	Third Party Advisory VDB Entry
https://vuldb.com/vuln/362570/cti	Permissions Required VDB Entry
https://www.dlink.com/	Product
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md	Exploit Third Party Advisory
https://vuldb.com/submit/810082	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dns-320_firmware:2.06b01:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dns-320:-:*:*:*:*:*:*:*

History

11 May 2026, 20:31

Type	Values Removed	Values Added
First Time		Dlink Dlink dns-320 Firmware Dlink dns-320
CPE		cpe:2.3:o:dlink:dns-320_firmware:2.06b01:::::::* cpe:2.3:h:dlink:dns-320:-:::::::*
References	~~() https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md -~~	() https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md - Exploit, Third Party Advisory
References	~~() https://vuldb.com/submit/810082 -~~	() https://vuldb.com/submit/810082 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/362570 -~~	() https://vuldb.com/vuln/362570 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/362570/cti -~~	() https://vuldb.com/vuln/362570/cti - Permissions Required, VDB Entry
References	~~() https://www.dlink.com/ -~~	() https://www.dlink.com/ - Product

11 May 2026, 16:17

Type	Values Removed	Values Added
References	~~() https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md -~~	() https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md -
References	~~() https://vuldb.com/submit/810082 -~~	() https://vuldb.com/submit/810082 -

11 May 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-11 05:16

Updated : 2026-05-11 20:31

NVD link : CVE-2026-8273

Mitre link : CVE-2026-8273

CVE.ORG link : CVE-2026-8273

JSON object : View

Products Affected

dlink

dns-320_firmware
dns-320

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

4.7 /10