VYPR

Vendor CVEs

Dlink

All CVEs

1,843 total · sorted by risk
  • CVE-2025-9745MedAug 31, 2025
    risk 0.31cvss 4.7epss 0.10

    A security vulnerability has been detected in D-Link DI-500WF 14.04.10A1T. The impacted element is an unknown function of the file /version_upgrade.asp of the component jhttpd. The manipulation of the argument path leads to os command injection. The attack may be initiated…

  • CVE-2025-7553MedJul 14, 2025
    risk 0.31cvss 4.7epss 0.04

    A vulnerability classified as critical has been found in D-Link DIR-818LW up to 20191215. This affects an unknown part of the component System Time Page. The manipulation of the argument NTP Server leads to os command injection. It is possible to initiate the attack remotely.…

  • CVE-2026-7026MedApr 26, 2026
    risk 0.29cvss 4.5epss 0.01

    A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The…

  • CVE-2026-11492MedJun 8, 2026
    risk 0.28cvss 4.3epss 0.01

    A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit…

  • CVE-2026-5215MedMar 31, 2026
    risk 0.28cvss 4.3epss 0.01

    A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted…

  • CVE-2025-9769MedSep 1, 2025
    risk 0.27cvss 4.1epss 0.26

    A security flaw has been discovered in D-Link DI-7400G+ 19.12.25A1. Affected is the function sub_478D28 of the file /mng_platform.asp. The manipulation of the argument addr with the input `echo 12345 > poc.txt` results in command injection. An attack on the physical device is…

  • CVE-2019-16057KEVSep 16, 2019
    risk 0.26cvss epss 0.87

    The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.

  • CVE-2026-11555LowJun 8, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a…

  • CVE-2026-1685LowJan 30, 2026
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is…

  • CVE-2025-6932LowJun 30, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability, which was classified as problematic, was found in D-Link DCS-7517 up to 2.02.0. This affects the function g_F_n_GenPassForQlync of the file /bin/httpd of the component Qlync Password Generation Handler. The manipulation leads to use of hard-coded password. It is…

  • CVE-2025-6931LowJun 30, 2025
    risk 0.24cvss 3.7epss 0.02

    A vulnerability classified as problematic was found in D-Link DCS-6517 and DCS-7517 up to 2.02.0. Affected by this vulnerability is the function generate_pass_from_mac of the file /bin/httpd of the component Root Password Generation Handler. The manipulation leads to…

  • CVE-2025-15245LowDec 30, 2025
    risk 0.23cvss 3.5epss 0.01

    A vulnerability was found in D-Link DCS-850L 1.02.09. Affected is the function uploadfirmware of the component Firmware Update Service. The manipulation of the argument DownloadFile results in path traversal. The attack must originate from the local network. The exploit has been…

  • CVE-2025-9003LowAug 15, 2025
    risk 0.23cvss 3.5epss 0.01

    A vulnerability has been found in D-Link DIR-818LW 1.04. This vulnerability affects unknown code of the file /bsc_lan.php of the component DHCP Reserved Address Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely.…

  • CVE-2025-8155LowJul 25, 2025
    risk 0.23cvss 3.5epss 0.13

    A vulnerability has been found in D-Link DCS-6010L 1.15.03 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vb.htm of the component Management Application. The manipulation of the argument paratest leads to cross site…

  • CVE-2016-20017KEVOct 19, 2022
    risk 0.22cvss epss 0.60

    D-Link DSL-2750B devices before 1.05 allow remote unauthenticated command injection via the login.cgi cli parameter, as exploited in the wild in 2016 through 2022.

  • CVE-2016-11021KEVMar 9, 2020
    risk 0.22cvss epss 0.69

    setSystemCommand on D-Link DCS-930L devices before 2.12 allows a remote attacker to execute code via an OS command in the SystemCommand parameter.

  • CVE-2019-20500KEVMar 5, 2020
    risk 0.22cvss epss 0.97

    D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Save Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_save configBackup or downloadServerip parameter.

  • CVE-2019-17621KEVDec 30, 2019
    risk 0.22cvss epss 0.90

    The UPnP endpoint URL /gena.cgi in the D-Link DIR-859 Wi-Fi router 1.05 and 1.06B01 Beta01 allows an Unauthenticated remote attacker to execute system commands as root, by sending a specially crafted HTTP SUBSCRIBE request to the UPnP service when connecting to the local network.

  • CVE-2024-3273KEVApr 4, 2024
    risk 0.20cvss epss 1.00

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The…

  • CVE-2024-3272KEVApr 4, 2024
    risk 0.20cvss epss 0.98

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very critical, has been found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. This issue affects some unknown processing of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET…

  • CVE-2021-45382KEVFeb 17, 2022
    risk 0.20cvss epss 0.98

    A Remote Command Execution (RCE) vulnerability exists in all series H/W revisions D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. Note: DIR-810L, DIR-820L, DIR-830L, DIR-826L, DIR-836L, all hardware revisions,…

  • CVE-2020-25506KEVFeb 2, 2021
    risk 0.20cvss epss 1.00

    D-Link DNS-320 FW v2.06B01 Revision Ax is affected by command injection in the system_mgr.cgi component, which can lead to remote arbitrary code execution.

  • CVE-2020-25078KEVSep 2, 2020
    risk 0.20cvss epss 0.98

    An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure.

  • CVE-2019-16920KEVSep 27, 2019
    risk 0.20cvss epss 1.00

    Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who…

  • CVE-2023-25280KEVMar 16, 2023
    risk 0.19cvss epss 0.98

    OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp.

  • CVE-2022-26258KEVMar 27, 2022
    risk 0.19cvss epss 0.81

    D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

  • CVE-2021-40655KEVSep 24, 2021
    risk 0.19cvss epss 0.87

    An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page

  • CVE-2020-29557KEVJan 29, 2021
    risk 0.19cvss epss 0.54

    An issue was discovered on D-Link DIR-825 R1 devices through 3.0.1 before 2020-11-20. A buffer overflow in the web interface allows attackers to achieve pre-authentication remote code execution.

  • CVE-2024-0769KEVJan 21, 2024
    risk 0.18cvss epss 0.83

    ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01. It has been rated as critical. Affected by this issue is some unknown functionality of the file /hedwig.cgi of the component HTTP POST Request Handler. The manipulation of the argument service…

  • CVE-2022-37055KEVAug 28, 2022
    risk 0.18cvss epss 0.57

    D-Link Go-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 are vulnerable to Buffer Overflow via cgibin, hnap_main,

  • CVE-2020-9377KEVJul 9, 2020
    risk 0.18cvss epss 0.21

    D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

  • CVE-2022-40799KEVNov 29, 2022
    risk 0.17cvss epss 0.31

    Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device.

  • CVE-2026-7027LowApr 26, 2026
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to cross site scripting. The attack can be executed remotely. The exploit is…

  • CVE-2026-1744LowFeb 2, 2026
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been…

  • CVE-2026-1705LowJan 30, 2026
    risk 0.16cvss 2.4epss 0.00

    A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack…

  • CVE-2026-1532LowJan 28, 2026
    risk 0.16cvss 2.4epss 0.01

    A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of the argument UploadMusic leads to path traversal. The attack can only be…

  • CVE-2020-25079KEVSep 2, 2020
    risk 0.15cvss epss 0.53

    An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. cgi-bin/ddns_enc.cgi allows authenticated command injection.

  • CVE-2018-10823Oct 17, 2018
    risk 0.11cvss epss 0.78

    An issue was discovered on D-Link DWR-116 through 1.06, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. An authenticated attacker may execute arbitrary code by injecting the shell command into the…

  • CVE-2023-33625Jun 12, 2023
    risk 0.10cvss epss 0.33

    D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulnerability via the ST parameter in the lxmldbc_system() function.

  • CVE-2021-46381Mar 4, 2022
    risk 0.10cvss epss 0.58

    Local File Inclusion due to path traversal in D-Link DAP-1620 leads to unauthorized internal files reading [/etc/passwd] and [/etc/shadow].

  • CVE-2020-15893Jul 22, 2020
    risk 0.10cvss epss 0.21

    An issue was discovered on D-Link DIR-816L devices 2.x before 1.10b04Beta02. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover packet.

  • CVE-2019-20499Mar 5, 2020
    risk 0.10cvss epss 0.97

    D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter.

  • CVE-2019-20215Jan 29, 2020
    risk 0.10cvss epss 0.75

    D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which…

  • CVE-2019-13101Aug 8, 2019
    risk 0.10cvss epss 0.67

    An issue was discovered on D-Link DIR-600M 3.02, 3.03, 3.04, and 3.06 devices. wan.htm can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify the data fields of the page.

  • CVE-2019-13373Jul 6, 2019
    risk 0.10cvss epss 0.68

    An issue was discovered in the D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6. Input does not get validated and arbitrary SQL statements can be executed in the database via the /web/Public/Conn.php parameter dbSQL.

  • CVE-2019-13372Jul 6, 2019
    risk 0.10cvss epss 0.81

    /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.

  • CVE-2018-10822Oct 17, 2018
    risk 0.10cvss epss 0.40

    Directory traversal vulnerability in the web interface on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices allows remote attackers…

  • CVE-2013-10069Aug 5, 2025
    risk 0.09cvss epss 0.12

    The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw…

  • CVE-2013-10048Aug 1, 2025
    risk 0.09cvss epss 0.12

    An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST…

  • CVE-2013-10059Aug 1, 2025
    risk 0.09cvss epss 0.19

    An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm…

Page 8 of 37