CVE-2026-2193 - Vulnerability Details

- D-Link DI-7100G C1 set_jhttpd_info command injection

Description

A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible.

Published: 2026-02-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves the function set_jhttpd_info in the firmware of the D-Link DI-7100G C1. Manipulation of the usb_username parameter allows arbitrary command injection, enabling an attacker to execute commands on the device without authentication. This flaw falls under CWE‑74 (Improper Validation of Input) and CWE‑77 (Command Injection). The potential impact is complete control over the device, enabling further compromise of the network.

Affected Systems

Affected product: D-Link DI-7100G C1 running firmware version 24.04.18D1. The vulnerability is present only in this specific firmware build and may be mitigated by updating to a newer, patched version.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate severity, and the EPSS score is below 1%, suggesting low current exploitation probability. However, the vulnerability is exposed via a web-based interface and remote exploitation is possible, meaning an attacker with network visibility could potentially abuse it. The flaw is not listed in the CISA KEV catalog, but its remote nature warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DI-7100G C1

affected

Version	Status	Constraints
`24.04.18D1`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:di-7100g_c1_firmware:24.04.18d1:*:*:*:*:*:*:*

cpe:2.3:h:dlink:di-7100g_c1:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
D-link	Di-7100g C1	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the DI-7100G C1 firmware to the latest version provided by D‑Link.
Configure network firewalls or routers to block external access to the device’s web interface, limiting exposure to trusted internal traffic.
Consider disabling the web management interface entirely if management can be performed through alternative methods, or apply local access controls to restrict the management interface to a secure IP range.

Generated by OpenCVE AI on April 17, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md
https://vuldb.com/?ctiid.344896
https://vuldb.com/?id.344896
https://vuldb.com/?submit.749803
https://www.dlink.com/

History

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink di-7100g C1 Dlink di-7100g C1 Firmware
CPEs		cpe:2.3:h:dlink:di-7100g_c1:-:::::::* cpe:2.3:o:dlink:di-7100g_c1_firmware:24.04.18d1:::::::*
Vendors & Products		Dlink Dlink di-7100g C1 Dlink di-7100g C1 Firmware

Mon, 09 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link di-7100g C1
Vendors & Products		D-link D-link di-7100g C1

Sun, 08 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible.
Title		D-Link DI-7100G C1 set_jhttpd_info command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md https://vuldb.com/?ctiid.344896 https://vuldb.com/?id.344896 https://vuldb.com/?submit.749803 https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

D-link Di-7100g C1

Dlink Di-7100g C1 Di-7100g C1 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T23:02:11.243Z

Updated: 2026-02-23T09:51:21.510Z

Reserved: 2026-02-07T17:32:45.833Z

Link: CVE-2026-2193

Vulnrichment

Updated: 2026-02-09T16:43:01.080Z

NVD

Status : Analyzed

Published: 2026-02-08T23:15:49.840

Modified: 2026-02-11T18:37:22.753

Link: CVE-2026-2193

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T21:45:28Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object