Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability has been found in Datacom DM4100 1.3.6.1.4.1.3709. Affected by this issue is some unknown functionality of the component VLAN Page. Such manipulation of the argument VLAN Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Reflected cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows remote attackers with high administrative privileges to inject malicious scripts via the VLAN Name parameter on the VLAN Page, exploitable only with user interaction. Public exploit code is available, and the vendor has not responded to early disclosure notifications.
Technical ContextAI
The vulnerability exists in the VLAN Page component of Datacom DM4100, a network management device. The VLAN Name input field fails to properly sanitize or encode user-supplied input before reflecting it in HTTP responses, enabling stored or reflected XSS attacks (CWE-79). Attackers can inject arbitrary JavaScript that executes in the context of an administrator's browser session. The attack requires network access to the device's web interface and exploitation depends on user interaction (clicking a malicious link or visiting a crafted page), limiting the attack surface compared to direct network exploitation.
RemediationAI
No vendor-released patch identified at time of analysis. Given the vendor's non-responsiveness to early disclosure, a patch is unlikely to be forthcoming. Compensating controls include: restrict administrative access to trusted personnel only, implement network segmentation to limit access to the device's web interface (e.g., restrict to management VLAN or specific IP ranges), disable or restrict the VLAN Page functionality if not operationally required (consult Datacom documentation for feature toggle availability), and educate administrators against clicking untrusted links or visiting suspicious content while logged into the device. Input validation at the network edge (WAF or reverse proxy) is not feasible for this appliance. Evaluate replacement with a patched alternative if risk tolerance is low.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25674