CVE-2026-4204 | D-Link DNS-1550-04 up to 20260205 /cgi-bin/gui_mgr.cgi f_user command injection

A vulnerability identified as critical has been detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function

cgi_myfavorite_add/cgi_myfavorite_set/cgi_myfavorite_del/cgi_myfavorite_set_sort_info/cgi_myfavorite_remove_apkg/cgi_myfavorite_compare_apkg/cgi_mycloud_auto_downlaod

of the file /cgi-bin/gui_mgr.cgi. This manipulation of the argument f_user causes command injection.

This vulnerability is registered as CVE-2026-4204. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

CVE-2026-4204 | D-Link DNS-1550-04 up to 20260205 /cgi-bin/gui_mgr.cgi f_user command injection

Post correlati

CVE-2024-1023 | Vert.x 4.4.5/4.4.6/4.5.0/4.5.1 Data Structure memory leak

CVE-2023-6583 | Import and Export Users and Customers Plugin up to 1.24.2 on WordPress Recurring Import path traversal

CVE-2024-31371 | Xylus Themes WP Event Aggregator Plugin up to 1.7.6 on WordPress cross-site request forgery

CVE-2026-1665 | nvm-sh nvm up to 0.40.3 Environment Variable nvm_download NVM_AUTH_HEADER os command injection