An attacker can supply a crafted read_list parameter to the cgi_adduser_to_session function in /cgi-bin/account_mgr.cgi on several D‑Link router models. The malformed input overflows a stack buffer, potentially enabling execution of arbitrary code on the device. The vulnerable function is exposed through the web interface, so the attack can be launched remotely; however, the description does not explicitly state whether authentication is required to trigger the overflow.

The flaw affects many D‑Link router models, including DNS‑120, DNS‑1200‑05, DNS‑1100‑4, DNS‑1550‑04, DNS‑315L, DNS‑320, DNS‑320L, DNS‑320LW, DNS‑321, DNS‑322L, DNS‑323, DNS‑325, DNS‑326, DNS‑327L, DNS‑340L, DNS‑343, DNS‑345, DNS‑726‑4, DNR‑202L, DNR‑326, and DNR‑322L. All firmware versions up to 20260205 are vulnerable.

The vulnerability carries a high CVSS score of 8.7, indicating a serious potential impact if successfully exploited. The EPSS score is below 1%, suggesting that public exploitation is currently rare. The flaw is not listed in the CISA KEV catalog. Because the vulnerable function is reachable via the web interface, any device exposed to the internet faces significant risk, even though authentication requirements are not explicitly defined in the CVE description.