CVE-2026-10878
BaseFortify
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dwr-m920 | 1.1.50 |
| d-link | dwr-m920 | 1.1.70 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10878 is a stack overflow and command injection vulnerability found in D-Link DWR-M920 routers running firmware versions 1.1.50 and 1.1.70.
The flaw exists in the /boafrm/formSmsManage route, specifically in the handling of the action_value parameter. This parameter is processed without proper length validation or sanitization before being passed to functions like sprintf and system.
Because of this, an attacker can remotely send specially crafted POST requests with oversized or maliciously formatted action_value parameters to trigger a stack-based buffer overflow or execute arbitrary commands on the device.
- Examples of exploits include sending long strings of characters to cause overflow or injecting shell commands such as "; ls > /sms.txt" to execute commands.
The vulnerability has been publicly disclosed and proof-of-concept exploits are available.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on affected D-Link DWR-M920 routers.
Successful exploitation can lead to unauthorized control over the device, potentially allowing attackers to manipulate router settings, intercept or redirect network traffic, or deploy further attacks within the network.
Additionally, the stack overflow aspect could cause the device to crash or become unstable, resulting in denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted POST requests to the /boafrm/formSmsManage route of the D-Link DWR-M920 router. Specifically, testing the action_value parameter with oversized strings or shell metacharacters can reveal if the system is vulnerable.
- Send a POST request with a long string of 'A' characters in the action_value parameter to test for stack overflow.
- Send a POST request with a command injection payload, such as action_value="; ls > /sms.txt", to check if arbitrary commands can be executed.
Example command using curl to test command injection: curl -X POST http://<router-ip>/boafrm/formSmsManage -d "action_value=; ls > /sms.txt"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable firmware versions 1.1.50 and 1.1.70 on D-Link DWR-M920 routers.
Implement strict input validation on the action_value parameter to reject shell metacharacters and prevent command injection.
Improve length checks on input parameters to prevent stack-based buffer overflows.
If possible, update the router firmware to a version where this vulnerability is patched or apply vendor-provided patches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.