Description
A vulnerability has been found in Datacom DM4100 1.3.6.1.4.1.3709. Affected by this issue is some unknown functionality of the component VLAN Page. Such manipulation of the argument VLAN Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-25
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the VLAN Page component of Datacom DM4100 firmware 1.3.6.1.4.1.3709, where the VLAN Name argument is not properly sanitized. Based on the description, it is inferred that this allows a remote attacker to inject arbitrary script that executes in the browser of anyone who views the affected page, enabling session hijacking, credential theft or phishing attacks. The flaw is a classic reflected XSS as documented by CWE‑79 and does not give direct code execution on the device but can be abused to compromise users.

Affected Systems

Datacom DM4100 network switches running firmware version 1.3.6.1.4.1.3709. Earlier builds lacking the patch are also susceptible.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score of less than 1% shows a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that, because it is reachable from remote interfaces, the attack may be performed by any unauthenticated user who can obtain the admin UI. No user‑authentication bypass is required, making it achievable without privileged access.

Generated by OpenCVE AI on April 28, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Datacom DM4100 firmware to the latest release that contains the fix for the VLAN Page XSS issue.
  • If a patch is not yet available, restrict web‑based management access to trusted administrative networks or apply IP whitelisting to limit exposure of the vulnerable page.
  • Deploy a web‑application firewall or enable a strict Content‑Security‑Policy to prevent the execution of injected scripts in the browser.

Generated by OpenCVE AI on April 28, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Datacom
Datacom dm4100
Vendors & Products Datacom
Datacom dm4100

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Datacom DM4100 1.3.6.1.4.1.3709. Affected by this issue is some unknown functionality of the component VLAN Page. Such manipulation of the argument VLAN Name leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Datacom DM4100 VLAN Page cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Datacom Dm4100
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:39:14.369Z

Reserved: 2026-04-24T20:10:15.934Z

Link: CVE-2026-7000

cve-icon Vulnrichment

Updated: 2026-04-27T12:39:10.320Z

cve-icon NVD

Status : Deferred

Published: 2026-04-25T21:16:19.863

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:30:32Z

Weaknesses