CVE-2026-10270 - Vulnerability Details

- D-Link DI-7001 MINI API httpd_debug.asp sprintf stack-based overflow

Description

A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used.

Published: 2026-06-01

Score: 8.7 High

EPSS: 1.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack-based buffer overflow occurs in the sprintf routine accessed by the /httpd_debug.asp API endpoint of the D‑Link DI‑7001 MINI device. Supplying a crafted Time argument exceeds the expected buffer size, corrupting the stack and allowing an attacker to redirect execution flow, leading to arbitrary code execution on the device.

Affected Systems

The vulnerability affects all D‑Link DI‑7001 MINI units running firmware versions up to and including 19.09.19A1. No other firmware revisions are known to be impacted by this issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and with a 1% EPSS score the likelihood of exploitation is low but nonzero. The exploit is publicly available and can be performed remotely by interacting with the /httpd_debug.asp endpoint. Based on the description, it is inferred that the /httpd_debug.asp endpoint does not require authentication, implying that an unauthenticated attacker could trigger the flaw. The vulnerability is not currently listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DI-7001 MINI

affected

Version	Status	Constraints
`19.09.19A1`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:di-7001mini-8g_firmware:19.09.19a1:*:*:*:*:*:*:*

cpe:2.3:h:dlink:di-7001mini-8g:a1:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

D-link

Di-7001 Mini

100%

Version	Status	Scheme	Platform
`19.09.19A1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the device firmware to a version newer than 19.09.19A1 that patches the /httpd_debug.asp buffer overflow.
If an upgrade cannot be applied, restrict external access to the /httpd_debug.asp endpoint using a firewall or device configuration changes to block the API or limit service to trusted networks.
Monitor network traffic for unusual requests to /httpd_debug.asp and log any anomalous activity for further investigation.

Generated by OpenCVE AI on June 18, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.0123.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/666324/dlink-DI-7001MINI-8G-vuln
https://github.com/666324/dlink-DI-7001MINI-8G-vuln/tree/main/dlink-DI-7001MINI-8G-vuln
https://vuldb.com/cve/CVE-2026-10270
https://vuldb.com/submit/825198
https://vuldb.com/vuln/367549
https://vuldb.com/vuln/367549/cti
https://www.dlink.com/

History

Wed, 03 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink di-7001mini-8g Dlink di-7001mini-8g Firmware
CPEs		cpe:2.3:h:dlink:di-7001mini-8g:a1:::::::* cpe:2.3:o:dlink:di-7001mini-8g_firmware:19.09.19a1:::::::*
Vendors & Products		Dlink Dlink di-7001mini-8g Dlink di-7001mini-8g Firmware

Mon, 01 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used.
Title		D-Link DI-7001 MINI API httpd_debug.asp sprintf stack-based overflow
First Time appeared		D-link D-link di-7001 Mini
Weaknesses		CWE-119 CWE-121
CPEs		cpe:2.3:h:d-link:di-7001_mini::::::::
Vendors & Products		D-link D-link di-7001 Mini
References		https://github.com/666324/dlink-DI-7001MINI-8G-vuln https://github.com/666324/dlink-DI-7001MINI-8G-vuln/tree/main/dlink-DI-7001MINI-8G-vuln https://vuldb.com/cve/CVE-2026-10270 https://vuldb.com/submit/825198 https://vuldb.com/vuln/367549 https://vuldb.com/vuln/367549/cti https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Di-7001 Mini

Dlink Di-7001mini-8g Di-7001mini-8g Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-01T15:30:11.093Z

Updated: 2026-06-01T19:46:56.015Z

Reserved: 2026-05-31T14:13:05.202Z

Link: CVE-2026-10270

Vulnrichment

Updated: 2026-06-01T19:46:52.363Z

NVD

Status : Analyzed

Published: 2026-06-01T17:16:43.280

Modified: 2026-06-03T20:02:06.540

Link: CVE-2026-10270

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T04:00:15Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-121
Stack-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object