Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-8346 |
|
Vulnerability in dlink (CVE-2026-8346)
vulnerability in dlink (CVE-2026-8346). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8345 |
|
Vulnerability in dlink (CVE-2026-8345)
vulnerability in dlink (CVE-2026-8345). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8344 |
|
Vulnerability in dlink (CVE-2026-8344)
vulnerability in dlink (CVE-2026-8344). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-36983 |
|
Command Injection in dlink (CVE-2026-36983)
command injection in dlink (CVE-2026-36983). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8272 |
|
Command Injection in dlink (CVE-2026-8272)
command injection in dlink (CVE-2026-8272). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8273 |
|
Command Injection in dlink (CVE-2026-8273)
command injection in dlink (CVE-2026-8273). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8271 |
|
Command Injection in dlink (CVE-2026-8271)
command injection in dlink (CVE-2026-8271). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-8260 |
|
Buffer Overflow in dlink (CVE-2026-8260)
vulnerability in dlink (CVE-2026-8260). Successful exploitation can lead to full system takeover.
|
| CVE-2026-42376 |
|
Vulnerability in dlink (CVE-2026-42376)
vulnerability in dlink (CVE-2026-42376). Successful exploitation can lead to full system takeover.
|
| CVE-2017-14413 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wpsacts.php.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wpsacts.php.
|
| CVE-2017-14430 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allow remote attackers to cause a denial of service (daemon crash) via crafte...
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allow remote attackers to cause a denial of service (daemon crash) via crafted LAN traffic.
|
| CVE-2017-14414 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/shareport.php.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/shareport.php.
|
| CVE-2017-14415 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/sitesurvey.php.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/sitesurvey.php.
|
| CVE-2017-14416 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices have XSS in the action parameter to htdocs/web/wandetect.php.
|
| CVE-2017-14417 |
|
register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services.
register_send.php on D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices does not require authentication, which can result in unintended enrollment in mydlink Cloud Services.
|
| CVE-2017-14418 |
|
The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices, sends the cleartext admin password over the Internet as part of interaction w...
The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices, sends the cleartext admin password over the Internet as part of interaction with mydlink Cloud Services.
|
| CVE-2017-14419 |
|
The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, participates in mydlink Cloud Service...
The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, participates in mydlink Cloud Services by establishing a TCP relay service for HTTP, even though a TCP relay service for HTTPS is also es...
|
| CVE-2017-14420 |
|
The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, does not verify X.509 certificates fr...
The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive infor...
|
| CVE-2017-14421 |
|
D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attack...
D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have a hardcoded password of wrgac25_dlink.2013gui_dir850l for the Alphanetworks account upon device reset, which allows remote attackers to obtain root access via a TELNET session.
|
| CVE-2017-14422 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customer...
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices use the same hardcoded /etc/stunnel.key private key across different customers' installations, which allows remote attackers to defeat the HTTPS cryptographic protection mechani...
|
| CVE-2017-14423 |
|
htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remo...
htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests.
|
| CVE-2017-14424 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/passwd permissions.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/passwd permissions.
|
| CVE-2017-14425 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/etc/hnapasswd permissions.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/etc/hnapasswd permissions.
|
| CVE-2017-14426 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0644 /var/etc/shadow (aka the /etc/shadow symlink target) permissions.
|
| CVE-2017-14427 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/storage_account_root permissions.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/storage_account_root permissions.
|
| CVE-2017-14428 |
|
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions.
D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices have 0666 /var/run/hostapd* permissions.
|
| CVE-2017-14429 |
|
The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allows unauthenticated remote code execution as root becau...
The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) and REV. B (with firmware through FW208WWb02) devices allows unauthenticated remote code execution as root because /etc/services/INET/inet_ipv4.php mishandles shell metacharacters, affecting generated files such...
|
| CVE-2016-10405 |
|
Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.
Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.
|
| CVE-2014-7860 |
|
The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos...
The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token.
|
| CVE-2014-7859 |
|
Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows r...
Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows remote attackers to execute arbitrary code by crafting malformed "Host" and "Referer" header values.
|
| CVE-2014-7858 |
|
The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string.
The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string.
|
| CVE-2014-7857 |
|
D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass a...
D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cm...
|
| CVE-2017-12943 |
|
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the a...
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?REQUIRE_FILE= absolute path traversal attack, as demonstrated by discovering the admin password.
|
| CVE-2017-10676 |
|
On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter.
On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter.
|
| CVE-2017-11436 |
|
D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection.
D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x1 BACKDOOR value, which might allow remote attackers to obtain access via a TELNET connection.
|
| CVE-2017-7404 |
|
On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router's Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim'...
On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the Router's Web Interface visits a malicious site from another Browser tab, the malicious site then can send requests to the victim's Router without knowing the credentials (CSRF). An attacker can host a page that sends a POST reque...
|
| CVE-2017-7405 |
|
On the D-Link DIR-615 before v20.12PTb04, once authenticated, this device identifies the user based on the IP address of his machine. By spoofing the IP address belonging to the victim's host, an atta...
On the D-Link DIR-615 before v20.12PTb04, once authenticated, this device identifies the user based on the IP address of his machine. By spoofing the IP address belonging to the victim's host, an attacker might be able to take over the administrative session without being prompted for authentication...
|
| CVE-2017-7406 |
|
The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any of the authenticated pages. Also, it doesn't allow the user to generate his own SSL Certificate. An attacker can simply monitor net...
The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any of the authenticated pages. Also, it doesn't allow the user to generate his own SSL Certificate. An attacker can simply monitor network traffic to steal a user's credentials and/or credentials of users being added while sniffing th...
|
| CVE-2017-9675 |
|
Vulnerability in dlink (CVE-2017-9675)
vulnerability in dlink (CVE-2017-9675). Risk of unauthorized operations or information disclosure.
|
| CVE-2017-9542 |
|
Authentication Bypass in d-link (CVE-2017-9542)
authentication bypass in d-link (CVE-2017-9542). Successful exploitation can lead to full system takeover.
|
| CVE-2017-9100 |
|
Authentication Bypass in dlink (CVE-2017-9100)
authentication bypass in dlink (CVE-2017-9100). Successful exploitation can lead to full system takeover.
|
| CVE-2015-7247 |
|
Information Disclosure in d-link (CVE-2015-7247)
vulnerability in d-link (CVE-2015-7247). Successful exploitation can lead to full system takeover.
|
| CVE-2015-7246 |
|
Vulnerability in d-link (CVE-2015-7246)
vulnerability in d-link (CVE-2015-7246). Successful exploitation can lead to full system takeover.
|
| CVE-2015-7245 |
|
Path Traversal in path-traversal (CVE-2015-7245)
path traversal in path-traversal (CVE-2015-7245). Confidential information can be exposed externally.
|
| CVE-2017-7852 |
|
Cross-Site Request Forgery (CSRF) in csrf (CVE-2017-7852)
vulnerability in csrf (CVE-2017-7852). Successful exploitation can lead to full system takeover.
|
| CVE-2016-1558 |
|
Buffer Overflow in dlink (CVE-2016-1558)
vulnerability in dlink (CVE-2016-1558). Successful exploitation can lead to full system takeover.
|
| CVE-2016-1559 |
|
Information Disclosure in d-link (CVE-2016-1559)
vulnerability in d-link (CVE-2016-1559). Successful exploitation can lead to full system takeover.
|
| CVE-2017-6190 |
|
Path Traversal in path-traversal (CVE-2017-6190)
path traversal in path-traversal (CVE-2017-6190). Confidential information can be exposed externally. Exploitable via `GET /uir/`.
|
| CVE-2017-7398 |
|
Cross-Site Request Forgery (CSRF) in csrf (CVE-2017-7398)
vulnerability in csrf (CVE-2017-7398). Successful exploitation can lead to full system takeover.
|
| CVE-2017-5874 |
|
Cross-Site Request Forgery (CSRF) in csrf (CVE-2017-5874)
vulnerability in csrf (CVE-2017-5874). Successful exploitation can lead to full system takeover.
|