CVE-2026-4197

CVE-2026-4197 is a command injection vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware versions up to 20260205. The issue resides in the RSS_Get_Update_Status, RSS_Update, RSS_Channel_AutoDownlaod, RSS_Add, RSS_Channel_Item_Downlaod, RSS_History_Item_List, and RSS_Item_List functions within the /cgi-bin/download_mgr.cgi file. It is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, requiring low attack complexity and no user interaction. Successful exploitation allows arbitrary command injection, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service on the affected device.

Advisories referenced in VulDB entries (ctiid.351109, id.351109, submit.769864) and GitHub repositories detail the vulnerability disclosure, confirming that a public exploit is available, which could facilitate widespread targeting of unpatched D-Link NAS devices. No specific patches or vendor mitigations are detailed in the provided references.

The exploit has been publicly disclosed, increasing the risk of active exploitation against internet-exposed instances of these legacy D-Link NAS models.