Skip to main content

D-Link

Vendor security scorecard – 3 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 31
3
CVEs
1
Critical
1
High
0
KEV
2
PoC
2
Unpatched C/H
0.0%
Patch Rate
0.7%
Avg EPSS

Severity Breakdown

CRITICAL
1
HIGH
1
MEDIUM
1
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-13545 OS command injection in the D-Link DCS-935L Wi-Fi network camera (firmware 1.10.01) lets a remote attacker inject arbitrary operating-system commands through the UID POST parameter handled by the sub_400E40 function in setconf.cgi. The CVSS 4.0 vector requires low privileges (PR:L), so an attacker needs some level of authenticated/session access, after which they gain full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (disclosed via VulDB), though there is no public exploit identified as actively exploited in the wild. HIGH 7.4 1.6% 59
PoC No patch
CVE-2026-15270 Least-privilege violation in the D-Link DIR-823G router (firmware 1.0.2B05_20181207) stems from insecure configuration of the Boa web server via /etc/boa/boa.conf, allowing an authenticated remote attacker to abuse over-broad privileges to compromise confidentiality, integrity, and availability. Publicly available exploit code exists, but the CVSS 4.0 vector rates attack complexity high (AC:H) and vendor guidance notes exploitation is difficult; there is no public exploit identified as actively exploited (not in CISA KEV). EPSS data was not supplied, but the low-privilege network vector combined with full CIA impact makes this a meaningful risk on exposed devices. MEDIUM 6.8 0.4% 54
PoC No patch
CVE-2026-52533 Privilege escalation in D-Link DIR-1253 firmware v1.0.1.250923.142435 stems from improper handling of the /etc/shadow file - the store of hashed local credentials - letting an attacker obtain or elevate to root-level access on the device. Publicly available exploit code exists (referenced via the zuh.re/codeberg advisory), but there is no public exploit identified as actively exploited and the CVE is not on the CISA KEV list. The published CVSS of 9.8 (AV:N) appears optimistic given that the core issue centers on a local system credential file, so the true remote-unauthenticated reach should be verified against the vendor advisory. CRITICAL 9.8 0.2% 49
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy