CVE-2026-1744
Description
A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in D-Link DSL-6641K router's PPPoE username field affects an end-of-life device with a public exploit.
Vulnerability
Analysis
The vulnerability resides in the doSubmitPPP function within the sp_pppoe_user.js file of the D-Link DSL-6641K router running firmware version N8.TR069.20131126. The function fails to sanitize the Username argument before processing it, allowing an attacker to inject arbitrary JavaScript or HTML code. This is a classic stored or reflected cross-site scripting (XSS issue, depending on how the input is later rendered [1].
Exploitation
An attacker can exploit this flaw by crafting a malicious URL or form submission that includes a specially crafted Username parameter. The attack can be launched remotely without requiring authentication, as the vulnerable device's web interface is accessible over the network. The exploit has been publicly disclosed, increasing the risk of active targeting [1].
Impact
Successful exploitation allows an attacker to execute arbitrary script in the context of the victim's browser session when they interact with the affected page. This could lead to session hijacking, defacement, or redirection to malicious sites. However, the CVSS score of 2.4 reflects the low severity due to the need for user interaction and the limited impact on confidentiality, integrity, and availability [1].
Mitigation
D-Link has confirmed that the DSL-6641K is end-of-life and no longer supported. No patch will be provided. Users are strongly advised to replace the device with a supported model. As a temporary workaround, restrict access to the router's management interface to trusted networks only [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:o:dlink:dsl-6641k_firmware:n8.tr069.20131126:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130nvdExploitThird Party Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
- www.dlink.comnvdProduct
News mentions
0No linked articles in our index yet.