CVE-2026-4204

CVE-2026-4204 is a command injection vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware versions up to 20260205. The flaw resides in the /cgi-bin/gui_mgr.cgi script, specifically within functions such as cgi_myfavorite_add, cgi_myfavorite_set, cgi_myfavorite_del, cgi_myfavorite_set_sort_info, cgi_myfavorite_remove_apkg, cgi_myfavorite_compare_apkg, and cgi_mycloud_auto_downlaod. It stems from improper handling of the f_user argument, mapped to CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Remote attackers with low-privilege access (PR:L) can exploit this vulnerability over the network without user interaction. By manipulating the f_user argument in the affected CGI endpoints, attackers can inject arbitrary commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification of system files, or denial of service on the targeted NAS device.

Advisories and details are available via VulDB entries (ctiid.351116, id.351116, submit.770409) and a GitHub repository documenting the vulnerability and proof-of-concept exploit. The D-Link website provides general support resources, though specific patch information for affected firmware is not detailed in the CVE data. Security practitioners should consult these references for mitigation guidance and verify firmware updates beyond 20260205. An exploit has been publicly released, increasing the risk of active exploitation.