CVE-2026-2084 - Vulnerability Details

- D-Link DIR-823X set_language os command injection

Description

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-02-07

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the D‑Link DIR‑823X router firmware build 250416 allows an attacker to execute arbitrary operating‑system commands by manipulating the langSelection parameter in the /goform/set_language endpoint. The flaw is caused by improper construction of a system command, leading to a classic OS command injection (CWE‑77/78). Because the injection can be triggered by a crafted HTTP request sent to the device’s admin interface, a remote attacker can gain the ability to run arbitrary commands on the router, potentially compromising its operation and internal data.

Affected Systems

Affected devices are D‑Link DIR‑823X routers running firmware 250416. No other firmware releases are explicitly identified as vulnerable. The affected endpoint is /goform/set_language.

Risk and Exploitability

The CVSS base score of 8.6 places the flaw in the high‑severity category. The EPSS score is below 1 %, indicating a low but non‑zero likelihood of exploitation. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the vulnerability requires only a single crafted request to the device’s administrative interface, an attacker can perform the exploit remotely. Publicly available proof‑of‑concept code is available, demonstrating that the flaw can be leveraged without special prerequisites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DIR-823X

affected

Version	Status	Constraints
`250416`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dir-823x_firmware:250416:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-823x:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Dir-823x	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the device firmware to the latest release from D‑Link that addresses the command‑injection flaw.
Restrict access to the router’s administration interface by configuring firewall or ACL rules to allow only trusted IP addresses.
If an update is not immediately available, block or disable the /goform/set_language endpoint through firewall rules or by tuning the router’s web server configuration.

Generated by OpenCVE AI on April 18, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00555.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/master-abc/cve/issues/24
https://vuldb.com/?ctiid.344651
https://vuldb.com/?id.344651
https://vuldb.com/?submit.746379
https://vuldb.com/?submit.746380
https://www.dlink.com/

History

Tue, 10 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 10 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dir-823x Dlink dir-823x Firmware
CPEs		cpe:2.3:h:dlink:dir-823x:-:::::::* cpe:2.3:o:dlink:dir-823x_firmware:250416:::::::*
Vendors & Products		Dlink Dlink dir-823x Dlink dir-823x Firmware

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dir-823x
Vendors & Products		D-link D-link dir-823x

Sat, 07 Feb 2026 11:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title		D-Link DIR-823X set_language os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/master-abc/cve/issues/24 https://vuldb.com/?ctiid.344651 https://vuldb.com/?id.344651 https://vuldb.com/?submit.746379 https://vuldb.com/?submit.746380 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dir-823x

Dlink Dir-823x Dir-823x Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-07T11:32:09.250Z

Updated: 2026-02-23T09:31:45.636Z

Reserved: 2026-02-06T08:15:49.330Z

Link: CVE-2026-2084

Vulnrichment

Updated: 2026-02-10T15:44:36.840Z

NVD

Status : Analyzed

Published: 2026-02-07T12:15:55.717

Modified: 2026-02-10T14:57:30.947

Link: CVE-2026-2084

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object