CVE-2026-1419 - Vulnerability Details

- D-Link DCS700l Web Form setDayNightMode command injection

Description

A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-01-26

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A command injection vulnerability exists in the D-Link DCS700l 1.03.09 firmware within the Web Form Handler’s /setDayNightMode endpoint. By manipulating the LightSensorControl argument, an attacker can inject arbitrary system commands, potentially leading to remote code execution and compromise of device integrity. The weakness is classified as command injection (CWE-74 and CWE-77).

Affected Systems

The vulnerability affects D-Link DCS700l routers running firmware version 1.03.09. No additional products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The flaw is not listed in the CISA KEV catalog, but a publicly available exploit has been reported. The attack vector is remote; an attacker can send a crafted HTTP request to the exposed /setDayNightMode endpoint, inserting malicious commands via the LightSensorControl parameter. Devices exposed directly to the internet or lacking proper network segmentation face the highest risk. Maintaining up‑to‑date firmware and restricting access can mitigate these risks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DCS700l

affected

Version	Status	Constraints
`1.03.09`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dcs-700l_firmware:1.03.09:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dcs-700l:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dcs700l	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the D-Link DCS700l firmware to the latest version that patches the command injection flaw.
Restrict the web interface by limiting access to trusted IP addresses or by routing it through a secure VPN tunnel.
Disable or block remote management features and monitor logs for anomalous /setDayNightMode requests.

Generated by OpenCVE AI on April 18, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link
https://vuldb.com/?ctiid.342815
https://vuldb.com/?id.342815
https://vuldb.com/?submit.736554
https://www.dlink.com/

History

Fri, 30 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dcs-700l Dlink dcs-700l Firmware
CPEs		cpe:2.3:h:dlink:dcs-700l:-:::::::* cpe:2.3:o:dlink:dcs-700l_firmware:1.03.09:::::::*
Vendors & Products		Dlink Dlink dcs-700l Dlink dcs-700l Firmware

Mon, 26 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 26 Jan 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dcs700l
Vendors & Products		D-link D-link dcs700l

Mon, 26 Jan 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title		D-Link DCS700l Web Form setDayNightMode command injection
Weaknesses		CWE-74 CWE-77
References		https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link https://vuldb.com/?ctiid.342815 https://vuldb.com/?id.342815 https://vuldb.com/?submit.736554 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dcs700l

Dlink Dcs-700l Dcs-700l Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-01-26T04:32:08.759Z

Updated: 2026-02-23T08:56:42.817Z

Reserved: 2026-01-25T14:14:29.866Z

Link: CVE-2026-1419

Vulnrichment

Updated: 2026-01-26T15:11:16.407Z

NVD

Status : Analyzed

Published: 2026-01-26T05:16:05.193

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-1419

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object