CVE-2026-8260

Published May 11th, 2026

View on NVD ↗

CVSS v3

8.8

HIGH

CVSS v2

HIGH

Affected

PROJECT

Description

A vulnerability was found in D-Link DCS-935L up to 1.10.01. The impacted element is the function SetDeviceSettings of the file /web/cgi-bin/hnap/hnap_service of the component HNAP Service. The manipulation of the argument AdminPassword results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.

0xcc12138/DCS-935L-HNAP-Service-CVE

This vulnerability exists in the HNAP service handler of the D-Link DCS-935L firmware. An attacker can exploit a flaw in `AESDecrypt` and its underlying decoding function by sending a specially crafted malicious XML request, triggering a stack-based buffer overflow and subsequently achieving Remote Code Execution (RCE).

GitHub