Skip to main content

Datacom DM4100 CVE-2026-7001

| EUVDEUVD-2026-25678 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-25 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

8
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
4.8 (MEDIUM) 1.9 (LOW)
Severity Changed
Apr 25, 2026 - 22:22 NVD
LOW MEDIUM
CVSS changed
Apr 25, 2026 - 22:22 NVD
2.4 (LOW) 4.8 (MEDIUM)
Analysis Generated
Apr 25, 2026 - 21:45 vuln.today
EUVD ID Assigned
Apr 25, 2026 - 21:30 euvd
EUVD-2026-25678
Analysis Generated
Apr 25, 2026 - 21:30 vuln.today
CVE Published
Apr 25, 2026 - 21:15 nvd
LOW 1.9

DescriptionCVE.org

A vulnerability was found in Datacom DM4100 1.3.6.1.4.1.3709. This affects an unknown part of the component Ethernet Configuration Page. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows authenticated remote attackers to inject malicious scripts via manipulation of the Name parameter in the Ethernet Configuration Page. The vulnerability requires high-privilege administrative access and user interaction to trigger, limiting real-world impact despite public exploit availability. Vendor has not responded to disclosure.

Technical ContextAI

The vulnerability is a reflected or stored XSS flaw (CWE-79) in the Ethernet Configuration Page component of the DM4100 network device, which lacks proper input validation and output encoding on the Name parameter. The DM4100 is a network appliance (likely a router or gateway based on Datacom's product portfolio) that manages Ethernet interface configurations. The unvalidated Name parameter permits injection of arbitrary HTML and JavaScript into the admin interface, which executes in the context of authenticated administrator sessions when the malicious link is accessed or the stored payload is viewed.

RemediationAI

No vendor-released patch has been identified at time of analysis, and Datacom did not respond to early disclosure requests. Organizations must apply compensating controls: restrict administrative access to the DM4100 management interface to trusted networks only via firewall rules, disable remote management if not required and use local console access exclusively, implement web application firewall (WAF) rules to block script tags in HTTP requests to the Ethernet Configuration Page endpoint, and consider disabling the Ethernet Configuration Page feature if not in active use. If administrative management is required, use a jump host or VPN to isolate access and educate administrators not to click untrusted links referencing the device's management interface. For critical deployments, evaluate replacement with a vendor that actively maintains security patches.

Share

CVE-2026-7001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy