{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2193", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-07T17:32:45.833Z", "datePublished": "2026-02-08T23:02:11.243Z", "dateUpdated": "2026-02-23T09:51:21.510Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:51:21.510Z"}, "title": "D-Link DI-7100G C1 set_jhttpd_info command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "D-Link", "product": "DI-7100G C1", "versions": [{"version": "24.04.18D1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-02-07T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-07T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-12T08:47:12.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "jfkk (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.344896", "name": "VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344896", "name": "VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749803", "name": "Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md", "tags": ["related"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T16:42:41.502126Z", "id": "CVE-2026-2193", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:43:10.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2193", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T16:42:41.502126Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T16:43:01.080Z"}}], "cna": {"title": "D-Link DI-7100G C1 set_jhttpd_info command injection", "credits": [{"lang": "en", "type": "reporter", "value": "jfkk (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "D-Link", "product": "DI-7100G C1", "versions": [{"status": "affected", "version": "24.04.18D1"}]}], "timeline": [{"lang": "en", "time": "2026-02-07T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-07T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-12T08:47:12.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.344896", "name": "VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.344896", "name": "VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.749803", "name": "Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md", "tags": ["related"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:51:21.510Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2193", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:51:21.510Z", "dateReserved": "2026-02-07T17:32:45.833Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-08T23:02:11.243Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:di-7100g_c1_firmware:24.04.18d1:*:*:*:*:*:*:*", "matchCriteriaId": "7A158880-0B6A-4F44-812B-DD64AB28505B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:*", "matchCriteriaId": "B661C392-F07F-4BF5-B559-B00693C63E94", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible."}], "id": "CVE-2026-2193", "lastModified": "2026-02-11T18:37:22.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-08T23:15:49.840", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.344896"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.344896"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.749803"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.dlink.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T21:41:42.132520+00:00", "value": {"mitigation_remediation": ["Update the DI-7100G C1 firmware to the latest version provided by D\u2011Link.", "Configure network firewalls or routers to block external access to the device\u2019s web interface, limiting exposure to trusted internal traffic.", "Consider disabling the web management interface entirely if management can be performed through alternative methods, or apply local access controls to restrict the management interface to a secure IP range."], "summary": {"action": "Immediate Patch", "impact": "Command injection leading to remote command execution"}, "threat_synthesis": {"affected_systems": "Affected product: D-Link DI-7100G C1 running firmware version 24.04.18D1. The vulnerability is present only in this specific firmware build and may be mitigated by updating to a newer, patched version.", "description_and_impact": "The vulnerability involves the function set_jhttpd_info in the firmware of the D-Link DI-7100G C1. Manipulation of the usb_username parameter allows arbitrary command injection, enabling an attacker to execute commands on the device without authentication. This flaw falls under CWE\u201174 (Improper Validation of Input) and CWE\u201177 (Command Injection). The potential impact is complete control over the device, enabling further compromise of the network.", "risk_and_exploitability": "The CVSS score is 5.3, indicating a moderate severity, and the EPSS score is below 1%, suggesting low current exploitation probability. However, the vulnerability is exposed via a web-based interface and remote exploitation is possible, meaning an attacker with network visibility could potentially abuse it. The flaw is not listed in the CISA KEV catalog, but its remote nature warrants immediate attention."}}}}, "created": "2026-02-09T10:40:01.177336+00:00", "updated": "2026-04-17T21:45:28.636158+00:00", "vendors": ["d-link", "d-link$PRODUCT$di-7100g_c1"]}