CVE-2026-4181

CriticalPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in D-Link DIR-816 1.10CNB05. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. The attack may be launched remotely.…

The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported end-of-life system components like the D-Link DIR-816 firmware with no patches available for this buffer overflow vulnerability.

SI-10 Information Input Validation good match

prevent

Validates manipulated arguments such as key1, key2, key3, key4, and pskValue to prevent stack-based buffer overflows in the vulnerable CGI script.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries and non-executable memory to mitigate arbitrary code execution from the stack-based buffer overflow.

Security SummaryAI

CVE-2026-4181 is a stack-based buffer overflow vulnerability affecting the D-Link DIR-816 router on firmware version 1.10CNB05. The issue resides in an unknown function of the file /goform/form2RepeaterStep2.cgi within the goahead web server component. It is triggered by remote manipulation of the arguments key1, key2, key3, key4, and pskValue, as associated with CWE-119, CWE-121, and CWE-787.

The vulnerability enables remote exploitation by unauthenticated attackers with no privileges required and no user interaction needed, earning a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can achieve high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the device. A public exploit has been released.

Affected products are no longer supported by the maintainer, with no patches available. Advisories on VulDB detail the issue and submission, while a GitHub repository provides exploit documentation. The D-Link website is referenced but offers no specific mitigation for this end-of-life firmware; practitioners should prioritize network isolation, replacement, or decommissioning of vulnerable devices.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dir-816 firmware

1.10cnb05

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote, unauthenticated stack-based buffer overflow in a public-facing web server CGI script on a router, directly enabling arbitrary code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_85/85.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351085
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351085
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769829
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com