Medium severity4.5NVD Advisory· Published Apr 26, 2026· Updated Apr 30, 2026

CVE-2026-7026

Description

A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in D-Link DGS-3420 System Information Settings via the System Name parameter allows remote unauthenticated attacks.

Vulnerability

Analysis

The D-Link DGS-3420 switch firmware version 1.50.018 contains a cross-site scripting (XSS) vulnerability in the System Information Settings page. The component fails to sanitize user-supplied input to the 'System Name' argument, allowing an attacker to inject arbitrary web scripts or HTML. This flaw occurs when the system name is stored and later rendered in administrative interface pages without proper escaping [1].

Attack

Vector

An attacker can exploit this vulnerability remotely without requiring authentication, as the System Name field can be set on the unauthenticated configuration page. The manipulated argument triggers stored XSS, meaning the injected payload executes whenever an administrator views the System Information page. Public exploit code is available, lowering the barrier for exploitation [1].

Impact

Successful exploitation allows the attacker to execute malicious scripts in the browser of an authenticated administrator. This could lead to session hijacking, defacement of the management interface, or theft of sensitive configuration data. The CVSS v3 base score of 4.5 indicates a medium severity, reflecting the need for user interaction but significant potential for lateral movement within the network [1].

Mitigation

As of the publication date, D-Link has not released a patch for this vulnerability. Users are advised to restrict access to the management interface via firewall rules or VLAN segmentation, and to monitor for firmware updates from the vendor. The vulnerability is publicly disclosed and should be treated as an active risk [1].

References

Landing

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dlink/Dgs 3420 28tc Firmware
cpe:2.3:o:dlink:dgs-3420-28tc_firmware:1.50.018:*:*:*:*:*:*:*
Dlink/DGS-3420llm-create
Range: =1.50.018

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

vuldb.com/submit/797877nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/359606nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/359606/ctinvdPermissions RequiredVDB Entry
www.dlink.comnvdProduct

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.5/ 10

CVSS v45.4

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

EPSS

Probability of exploitation in the next 30 days.

0.02%

VYPR risk score

Composite of severity, exploitation, and reach.

0.29low

cvss	0.293
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7026

Credits

F(
Fergod (VulDB User)
reporter
VV
VulDB Vulnerability Moderation Team
coordinator