21
CVEs
4
Critical
9
High
0
KEV
13
PoC
13
Unpatched C/H
4.8%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
4
HIGH
9
MEDIUM
2
LOW
6
Monthly CVE Trend
Affected Products (30)
Dir 513 Firmware
34
Dir 619l Firmware
28
Dir 816 Firmware
26
Dwr M960 Firmware
22
Dir 823x Firmware
18
Dir 605l Firmware
17
PHP
13
Di 7003G Firmware
11
Di 8100 Firmware
10
Dwr M920 Firmware
10
Dir 600L Firmware
9
Dsl 7740C Firmware
9
Cloudlink
8
Dir 618 Firmware
8
Dir 853 Firmware
7
Dsl 3782 Firmware
7
Dcs 932l Firmware
6
Dir 825 Firmware
6
Dir 816L Firmware
6
Dir 822K Firmware
6
Dir 615 Firmware
5
Dir 878 Firmware
5
Dap 2695 Firmware
4
Dnr 326
4
Dap 1620 Firmware
4
Dir 823G Firmware
4
Dns 1100 4
4
Dns 120
4
Dir 882 Firmware
4
Dnr 202l
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-7853 | Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests to /auto_reboot.asp. The vulnerability exploits unsafe sprintf calls handling the 'enable' and 'time' parameters in the auto-reboot feature's HTTP handler. A public proof-of-concept exploit is available on GitHub, significantly lowering the barrier to exploitation. CVSS 8.9 with EPSS and attack complexity both low indicate high real-world risk for internet-facing devices running this firmware version. | HIGH | 8.9 | 0.1% | 65 |
PoC
No patch
|
| CVE-2026-7854 | Remote unauthenticated buffer overflow in D-Link DI-8100 firmware 16.07.26A1 enables attackers to execute arbitrary code, compromise device integrity, and cause denial of service via crafted POST requests to /url_rule.asp. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS 9.8 critical score reflects network-based remote attack requiring no authentication or user interaction, though no active exploitation has been confirmed via CISA KEV at time of analysis. | HIGH | 8.9 | 0.1% | 65 |
PoC
No patch
|
| CVE-2026-8260 | Buffer overflow in D-Link DCS-935L camera firmware versions up to 1.10.01 allows authenticated remote attackers to achieve complete system compromise via crafted AdminPassword parameter to the HNAP service. Public exploit code exists on GitHub (0xcc12138/DCS-935L-HNAP-Service-CVE), demonstrating weaponization of this vulnerability. CVSS 4.0 score of 7.4 with CVSS:4.0/E:P confirms proof-of-concept exploitation. While authentication is required (PR:L), the low attack complexity (AC:L) and network attack vector (AV:N) combined with publicly available exploit code make this a practical remote exploitation risk for devices exposed to untrusted networks or compromised accounts. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-7855 | Buffer overflow in D-Link DI-8100 router (firmware 16.07.26A1) allows authenticated remote attackers to execute arbitrary code or crash the device via crafted HTTP requests to the /tggl.asp endpoint. The vulnerability affects the tggl_asp function's Name parameter handling. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation for attackers with valid router credentials. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-7851 | Stack-based buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated remote attackers with high privileges to execute arbitrary code via malformed ID parameter to yyxz.asp administrative interface. Public exploit code exists on GitHub, demonstrating reliable exploitation. CVSS 7.3 (High) reflects network attack vector but requires admin-level authentication, limiting real-world exposure to compromised credentials or insider scenarios. | HIGH | 7.3 | 0.1% | 57 |
PoC
No patch
|
| CVE-2026-7856 | Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated administrators to execute arbitrary code via crafted 'Name' parameter to /url_member.asp in the web management interface. Public exploit code exists on GitHub, demonstrating active proof-of-concept availability. EPSS data unavailable; CVSS 7.2 reflects high impact but limited by requirement for high-privilege (admin) authentication, reducing real-world urgency for most organizations unless admin credentials are compromised or insider threat exists. | HIGH | 7.3 | 0.1% | 57 |
PoC
No patch
|
| CVE-2026-7857 | Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 enables authenticated remote code execution via crafted input to the /user_group.asp CGI handler. Attackers with high-privilege (administrator) credentials can exploit the unsafe sprintf function to achieve arbitrary code execution with complete system compromise. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation despite the high-privilege requirement. | HIGH | 7.3 | 0.1% | 57 |
PoC
No patch
|
| CVE-2026-42374 | D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-42373 | Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-42375 | Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-42376 | Hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 firmware grants remote unauthenticated attackers root shell access using static credentials ('Alphanetworks' / 'whdrv01_dlob_dir456U'). The telnet daemon launches automatically at boot via /etc/init0.d/S80telnetd.sh and validates credentials through strcmp() comparison against hardcoded values in /etc/config/image_sign. Device is End-of-Life with no patches forthcoming. CVSS 9.8 reflects network-accessible unauthenticated remote code execution, though exploitation requires local network access to telnet service. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2026-42372 | Hardcoded credentials in D-Link DIR-605L Hardware Revision A1 firmware grant root-level telnet access to unauthenticated attackers on adjacent networks. The telnet daemon automatically starts at boot with username 'Alphanetworks' and static password 'wrgn35_dlwbr_dir605l', enabling complete device takeover including network traffic interception, configuration modification, and pivot attacks against internal networks. This End-of-Life product will receive no vendor patch, requiring immediate device replacement. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, with adjacent network attack vector reducing but not eliminating risk for home and small office deployments. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-36983 | Command injection in D-Link DCS-932L v2.18.01 allows remote unauthenticated attackers to execute arbitrary system commands via the LightSensorControl parameter in the /bin/alphapd binary. CVSS 7.3 indicates network-accessible exploitation with low complexity requiring no authentication or user interaction, though EPSS score of 0.15% (35th percentile) suggests low observed exploitation probability. No CISA KEV listing or confirmed active exploitation. Publicly documented vulnerability details exist on GitHub, increasing risk of future exploitation attempts against this end-of-life IoT camera model. | HIGH | 7.3 | 0.2% | 37 |
No patch
|
| CVE-2026-7554 | Weak password recovery in D-Link M60 up to version 1.20B02 allows remote attackers to compromise device authentication through manipulation of the /usr/bin/httpd binary, requiring high attack complexity but with publicly disclosed exploit code available. The vulnerability enables information disclosure and potential unauthorized access to device management functions despite the low CVSS score of 2.9 reflecting limited confidentiality impact. | LOW | 2.9 | 0.0% | 35 |
PoC
No patch
|
| CVE-2026-8344 | A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform | LOW | 2.1 | 0.5% | 31 |
PoC
No patch
|