CVE-2026-2084
OS Command Injection in D-Link DIR-823X /goform/set_language
Publication date: 2026-02-07
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-823x_firmware | 250416 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2084 is a remote OS command injection vulnerability found in the D-Link DIR-823X router, firmware version 250416. The flaw exists in the handling of the /goform/set_language endpoint, specifically through the manipulation of the langSelection parameter.
The vulnerability arises because the langSelection parameter is not properly sanitized, allowing an authenticated attacker to inject arbitrary shell commands by including newline characters that bypass filtering.
When the system commits the language configuration, these injected commands are executed with root privileges, giving the attacker full control over the device.
Exploitation requires authentication but can be performed remotely, and a public proof-of-concept exploit is available.
How can this vulnerability impact me? :
This vulnerability can severely impact the confidentiality, integrity, and availability of the affected D-Link DIR-823X router.
- An attacker with valid authentication can execute arbitrary commands with root privileges remotely.
- This can lead to full device compromise, including unauthorized access, data theft, device manipulation, or denial of service.
- Because the exploit is publicly available and easy to use, the risk of attack is high.
No known mitigations exist other than replacing the affected product, so the device remains vulnerable until patched or replaced.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /goform/set_language endpoint on the D-Link DIR-823X router firmware version 250416 for command injection via the langSelection parameter. Since the vulnerability requires authentication, detection involves authenticating to the device and sending crafted POST requests with payloads containing newline characters to observe if arbitrary commands are executed.'}, {'type': 'paragraph', 'content': "A proof-of-concept Python script exists that authenticates using a token-based HMAC-SHA256 password hash and sends POST requests to /goform/set_language with injected commands via newline characters. For example, injecting a command like 'sleep 3' can be used to detect command execution by measuring response delays."}, {'type': 'list_item', 'content': 'Authenticate to the router using valid credentials.'}, {'type': 'list_item', 'content': 'Send a POST request to /goform/set_language with the langSelection parameter containing newline characters and shell commands.'}, {'type': 'list_item', 'content': "Observe the response time or behavior changes (e.g., delayed response from 'sleep' command) to confirm command injection."}, {'type': 'list_item', 'content': 'Example command using curl (after authentication):'}, {'type': 'list_item', 'content': "curl -X POST -d 'langSelection=en\\n sleep 3' http://<router-ip>/goform/set_language"}] [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting and validating input to the langSelection parameter to prevent injection of newline and control characters.
- Implement strict whitelisting for the langSelection parameter, allowing only predictable language codes composed of alphanumeric characters and hyphens.
- Explicitly reject control characters such as line feed (0x0A) and carriage return (0x0D) in the input.
- Avoid using shell-wrapped scripts for configuration changes; instead, use parameterized or native APIs to prevent passing user input to the shell.
Since no official patches or countermeasures are documented, it is recommended to replace the affected device with an alternative product if possible.