Cyber Posture

CVE-2026-5212

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function Webdav_Upload_File of the file…

more

/cgi-bin/webdav_mgr.cgi. The manipulation of the argument f_file leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates the stack-based buffer overflow by applying vendor patches or workarounds to affected D-Link NAS firmware.

SI-10 Information Input Validation good match
prevent

Information input validation on the f_file argument in Webdav_Upload_File prevents the buffer overflow by rejecting malformed or oversized inputs.

SI-16 Memory Protection good match
prevent

Memory protection mechanisms like stack canaries and non-executable stacks block exploitation of the stack-based buffer overflow even if invalid input reaches the function.

Security SummaryAI

CVE-2026-5212 is a stack-based buffer overflow vulnerability affecting the Webdav_Upload_File function in the /cgi-bin/webdav_mgr.cgi component of multiple D-Link network-attached storage (NAS) devices. The issue impacts models including DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 running firmware versions up to 20260205. It is associated with CWEs-119, CWE-121, and CWE-787, and was published on 2026-03-31.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. It can be exploited remotely by an authenticated attacker with low privileges who manipulates the f_file argument during a WebDAV file upload operation. Successful exploitation enables arbitrary code execution with high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.

Advisories referenced in VulDB entries (vuldb.com/vuln/354348 and related submits) and a GitHub disclosure (github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_166/166.md) detail the vulnerability but do not specify patches or mitigations in the available description.

The exploit has been publicly disclosed and may be used in attacks, elevating the risk for exposed D-Link NAS devices.

Details

CWE(s)
CWE-119CWE-121CWE-787

Affected Products

dlink
dnr-202l firmware
≤ 2026-02-05
dlink
dnr-326 firmware
≤ 2026-02-05
dlink
dns-1100-4 firmware
≤ 2026-02-05
dlink
dns-120 firmware
≤ 2026-02-05
dlink
dns-1200-05 firmware
≤ 2026-02-05
dlink
dns-1550-04 firmware
≤ 2026-02-05
dlink
dns-315l firmware
≤ 2026-02-05
dlink
dns-320 firmware
≤ 2026-02-05
dlink
dns-320l firmware
≤ 2026-02-05
dlink
dns-320lw firmware
≤ 2026-02-05
+10 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Stack-based buffer overflow in public-facing WebDAV CGI endpoint (/cgi-bin/webdav_mgr.cgi) on D-Link NAS devices enables remote code execution by authenticated low-privilege attackers, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References