CVE-2026-4184

CriticalPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulnerability is an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi of the component goahead. Performing a manipulation of the argument pskValue results in stack-based buffer overflow. The attack is possible…

to be carried out remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of end-of-support products like the EOL D-Link DIR-816, directly mitigating exposure to unpatchable vulnerabilities such as CVE-2026-4184.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs like the pskValue argument to prevent stack-based buffer overflows in the vulnerable /goform/form2Wl5BasicSetup.cgi endpoint.

SI-16 Memory Protection partial match

prevent

Implements memory protections to mitigate arbitrary code execution from stack-based buffer overflows even if invalid inputs reach the goahead component.

Security SummaryAI

CVE-2026-4184 is a stack-based buffer overflow vulnerability affecting the D-Link DIR-816 router on firmware version 1.10CNB05. The flaw exists in an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi within the goahead component, where manipulation of the pskValue argument triggers the overflow. Published on 2026-03-16, it is associated with CWEs-119, CWE-121, and CWE-787, and carries a CVSS v3.1 base score of 9.8.

The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction (AV:N/AC:L/PR:N/UI:N). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full device compromise such as arbitrary code execution. An exploit is publicly available and may be used against vulnerable instances.

Advisories note that this vulnerability only affects products no longer supported by the maintainer, with no patches available. Relevant references include VulDB entries detailing the issue (vuldb.com/?ctiid.351088, vuldb.com/?id.351088, vuldb.com/?submit.769832), a GitHub repository with exploit information (github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_88/88.md), and the D-Link website (dlink.com). Mitigation requires isolating or retiring affected devices.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dir-816 firmware

1.10cnb05

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing web CGI (/goform/form2Wl5BasicSetup.cgi) on D-Link router enables remote unauthenticated arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_88/88.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351088
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351088
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769832
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com