| Title | D-Link DIR-823X 250416 OS Command Injection |
|---|
| Description | D-Link DIR-823X routers are susceptible to a Remote Command Injection vulnerability via the /goform/set_ac_status endpoint. The flaw exists in the backend handling of the ac_ipaddr, ac_ipstatus, and ap_randtime parameters. Due to an incomplete sanitization mechanism that fails to filter newline characters (\n or 0x0A), an authenticated attacker can inject arbitrary shell commands. These commands are executed with root privileges when the system commits the configuration and restarts the associated service via the system shell. |
|---|
| Source | ⚠️ https://github.com/master-abc/cve/issues/23 |
|---|
| User | jiefengliang (UID 93721) |
|---|
| Submission | 01/26/2026 18:57 (5 months ago) |
|---|
| Moderation | 02/06/2026 21:45 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344764 [D-Link DIR-823X 250416 /goform/set_ac_status ac_ipaddr/ac_ipstatus/ap_randtime os command injection] |
|---|
| Points | 20 |
|---|