CVE-2026-8273 PUBLISHED

A weakness has been identified in D-Link DNS-320 2.06B01. This impacts the function cgi_set_host/cgi_set_ntp/cgi_fan_control/cgi_merge_user of the file /cgi-bin/system_mgr.cgi. This manipulation causes os command injection. It is possible to initiate the attack remotely.

• ST4R (VulDB User) reporter

• VDB-362570 | D-Link DNS-320 system_mgr.cgi cgi_merge_user os command injection
• VDB-362570 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #810082 | D-Link Corporation DNS-320 ShareCenter NAS (Rev.A) Firmware 2.06B01 HOTFIX CWE-78: OS Command Injection
• https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/D-Link%20DNS-320%20%20system_mgraccount_mgrdsk_mgrapp_mgr%20Multiple%20CGI%20OS%20Command%20Injection.md
• https://www.dlink.com/

• OS Command Injection CWE
• Command Injection CWE