Low severity2.4NVD Advisory· Published Apr 26, 2026· Updated Apr 30, 2026

CVE-2026-7027

Description

A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting vulnerability exists in the Wireless Network Name field of the D-Link DSL-2740R (firmware EU_01.15) Wireless Setup, allowing remote unauthenticated attacks.

Root

Cause

The vulnerability resides in the Wireless Setup Section of the D-Link DSL-2740R router running firmware version EU_01.15. Manipulation of the argument “Wireless Network Name” (the SSID field) triggers a cross-site scripting (XSS) condition. This indicates that the application fails to sanitize user-supplied input before rendering it in the administrative web interface, allowing arbitrary script or HTML injection.

Attack

Vector

The attack can be executed remotely. Since the router’s web management interface is typically accessible over the local network, an unauthenticated attacker who can reach the management page may exploit the flaw by crafting a malicious SSID value that, when saved and later displayed in the browser, executes attacker-controlled scripts [1]. The exploit is publicly available, lowering the barrier to exploitation.

Impact

Successful exploitation could allow an attacker to execute JavaScript in the context of the authenticated administrator’s session. This can lead to session hijacking, defacement of the management interface, or theft of sensitive configuration data. The CVSS score is 2.4 (Low), suggesting limited direct impact, though the availability of a public exploit elevates the real-world risk for unpatched devices.

Mitigation

As of the publication date, D-Link has not released a patched firmware for the DSL-2740R. Users should restrict access to the router’s web interface to trusted local hosts only, disable remote administration if possible, and monitor for an official firmware update from D-Link [1].

References

Landing

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dlink/Dsl 2740r Firmware
cpe:2.3:o:dlink:dsl-2740r_firmware:eu_01.15:*:*:*:*:*:*:*
Dlink/DSL-2740Rllm-create
Range: EU_01.15

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

vuldb.com/submit/797896nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/359607nvdThird Party AdvisoryVDB Entry
vuldb.com/vuln/359607/ctinvdPermissions RequiredVDB Entry
www.dlink.comnvdProduct

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

2.4/ 10

CVSS v41.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: High
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.01%

VYPR risk score

Composite of severity, exploitation, and reach.

0.16low

cvss	0.156
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-7027

Credits

H(
Havook (VulDB User)
reporter
VV
VulDB Vulnerability Moderation Team
coordinator