Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.
Published: 2026-04-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability allows an attacker to craft a malicious web page that forces an authenticated administrator’s browser to send forged HTTP requests to the router’s administrative API endpoints. The router accepts these requests without verifying anti‑CSRF tokens or enforcing Origin/Referer checks, so the attacker can manipulate configuration settings such as Wi‑Fi parameters. This flaw can lead to unauthorized changes that compromise network security without requiring any local presence or credentials beyond a legitimate admin session.

Affected Systems

The vulnerability affects the Dbit N300 T1 Pro wireless router running firmware version V1.0.0. No other vendors or product versions are listed as impacted.

Risk and Exploitability

Because the attack requires only a malicious web page and relies on the victim’s authenticated session cookie, the risk of compromise is high for administrators who access the interface from the web. The exploit is straightforward with no specialized prerequisites, and the router lacks mitigation such as anti‑CSRF tokens. The CVSS score of 8.8 indicates high severity, the EPSS score is not available, and the issue is not listed in CISA KEV, so the straightforward nature of the flaw warrants immediate attention.

Generated by OpenCVE AI on May 2, 2026 at 00:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to a version that implements CSRF protection for administrative endpoints.
  • Restrict access to the web management interface to the local network or a VPN, and block the /api/setWlan endpoint from remote access.
  • Use a web‑application firewall or browser extension to enforce same‑origin policies and block unauthorized API calls.
  • Change the administrator password to a strong, unique value and enable any available two‑factor authentication.
  • Monitor router logs for unexpected configuration changes and adjust firewall rules if suspicious activity is detected.

Generated by OpenCVE AI on May 2, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Dbitnet
Dbitnet dbit N300 T1 Pro
Dbitnet dbit N300 T1 Pro Firmware
CPEs cpe:2.3:h:dbitnet:dbit_n300_t1_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:dbitnet:dbit_n300_t1_pro_firmware:1.0.0:*:*:*:*:*:*:*
Vendors & Products Dbitnet
Dbitnet dbit N300 T1 Pro
Dbitnet dbit N300 T1 Pro Firmware

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Dbit N300 T1 Pro Router Web Management

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Dbit
Dbit n300 T1 Pro Wireless Router
Vendors & Products Dbit
Dbit n300 T1 Pro Wireless Router

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action.
References

Subscriptions

Dbit N300 T1 Pro Wireless Router
Dbitnet Dbit N300 T1 Pro Dbit N300 T1 Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T15:21:01.763Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36956

cve-icon Vulnrichment

Updated: 2026-04-30T15:20:13.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T15:16:22.740

Modified: 2026-05-05T00:09:06.320

Link: CVE-2026-36956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses