Description
A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub_420A78 of the file apply_sec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A vulnerability in the sub_420A78 function of the apply_sec.cgi component allows an attacker to inject arbitrary client‑side script through the Language parameter. The injected script executes in the victim’s browser context when the vulnerable page is loaded, enabling the attacker to manipulate the web page or perform actions on behalf of the user.

Affected Systems

Firmware versions 1.010B01 and 1.04B01 of the TRENDnet TEW‑824DRU router are affected. The corresponding Common Platform Enumeration string is cpe:2.3:o:trendnet:tew-824dru_firmware:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The description states that the attack can be launched remotely; it is inferred that authentication is not required for exploitation. A publicly available exploit could be deployed against exposed devices, raising the likelihood of real‑world exploitation.

Generated by OpenCVE AI on March 18, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update that addresses the XSS flaw.
  • If no update is available, restrict access to the router’s web interface to trusted internal networks or block the interface from external traffic with a firewall.
  • Consider disabling or restricting the Language feature to prevent manipulation of the vulnerable parameter.

Generated by OpenCVE AI on March 18, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Trendnet tew-824dru
Vendors & Products Trendnet tew-824dru

Tue, 17 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub_420A78 of the file apply_sec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title TRENDnet TEW-824DRU Web apply_sec.cgi sub_420A78 cross site scripting
First Time appeared Trendnet
Trendnet tew-824dru Firmware
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:o:trendnet:tew-824dru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Trendnet
Trendnet tew-824dru Firmware
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Trendnet Tew-824dru Tew-824dru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-18T20:19:29.923Z

Reserved: 2026-03-17T18:23:31.433Z

Link: CVE-2026-4354

cve-icon Vulnrichment

Updated: 2026-03-18T20:19:27.283Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T00:16:20.457

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-4354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:20Z

Weaknesses