Low severity3.5NVD Advisory· Published Mar 18, 2026· Updated Apr 29, 2026

CVE-2026-4354

Description

A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub_420A78 of the file apply_sec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TRENDnet TEW-824DRU router contains a stored cross-site scripting vulnerability in the apply_sec.cgi Language parameter, allowing remote authenticated attackers to cause denial of service.

Vulnerability

Overview The TRENDnet TEW-824DRU router firmware versions 1.010B01 and 1.04B01 contain a stored cross-site scripting (XSS) vulnerability in the apply_sec.cgi CGI script. The Language parameter is not sanitized before being reflected into the front-end HTML source code, such as in script tags and hidden input fields [1]. This allows an attacker to inject arbitrary JavaScript.

Exploitation

An authenticated attacker can send a crafted POST request to /apply_sec.cgi with a malicious language value. The injected script is stored and executed in the context of the web interface when other users (including administrators) load the page. The attack is remote and does not require special network access beyond being able to reach the router's management interface [1].

Impact

Successful exploitation leads to arbitrary script execution in the browser of any user viewing the affected page. This can be used to steal session cookies, perform actions on behalf of the victim, or cause a denial of service by redirecting or crashing the web interface [1]. The CVSS score of 3.5 reflects the low severity due to the requirement of authentication and the limited impact.

Mitigation

The vendor was contacted but did not respond, and no official patch has been released as of the publication date. Users are advised to restrict access to the router's management interface to trusted networks and consider using a firewall to limit exposure [1].

References

TRENDnet TEW-824DRU Stored XSS leading to Web Interface DoS in apply_sec.cgi

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Trendnet/TEW-824DRUllm-create
Range: = 1.010B01/1.04B01

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4354

Credits

I(
iC0rner (VulDB User)
reporter
V
VulDB
coordinator