| Название | D-Link DIR 250416 OS Command Injection |
|---|
| Описание | D-Link DIR-823X routers are susceptible to a Remote Command Injection vulnerability via the /goform/set_language endpoint. The flaw exists in the backend handling of the langSelection parameter.
Due to an incomplete sanitization mechanism that fails to filter newline characters (\n or 0x0A), an authenticated attacker can inject arbitrary shell commands. When the system commits the language configuration, the injected commands are executed with root privileges via the system shell. |
|---|
| Источник | ⚠️ https://github.com/master-abc/cve/issues/24 |
|---|
| Пользователь | 942384053 (UID 94603) |
|---|
| Представление | 24.01.2026 11:01 (3 месяцы назад) |
|---|
| Модерация | 06.02.2026 09:15 (13 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 344651 [D-Link DIR-823X 250416 /goform/set_language langSelection эскалация привилегий] |
|---|
| Баллы | 20 |
|---|