CVE-2026-7026 - Vulnerability Details

- D-Link DGS-3420 System Information Settings cross site scripting

Description

A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Published: 2026-04-26

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the System Information Settings page of the D‑Link DGS‑3420 router. An attacker can supply a specially crafted System Name parameter that is reflected back into the page without proper sanitization, leading to cross‑site scripting. This flaw allows arbitrary JavaScript execution in the browser of any user who views the page, potentially enabling session hijacking, credential theft, or malicious navigation. The flaw is classified as CWE‑79 and also involves potential code injection (CWE‑94).

Affected Systems

This issue affects D‑Link DGS‑3420 devices running firmware version 1.50.018. No other firmware releases or builds were specified in the advisory, so only this version is known to be vulnerable. The router interface is the target of the attack; the vulnerability lies in the web‑based System Information Settings component.

Risk and Exploitability

The CVSS base score is 6.8, indicating a moderate severity level. The EPSS score is below 1 %, meaning the likelihood of exploitation is low at the moment. The vulnerability is not listed in the CISA KEV catalog. Remote exploitation is possible; an attacker only needs to send a request containing a malicious System Name value to the router’s web interface, which is reachable over the network. Because the flaw occurs on a publicly reachable input and the payload is executed in the victim’s browser, the risk is primarily to users who log into the router remotely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DGS-3420

affected

Version	Status	Constraints
`1.50.018`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:dgs-3420-28tc_firmware:1.50.018:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dgs-3420-28tc:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

D-link

Dgs-3420

100%

Version	Status	Scheme	Platform
`1.50.018`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the D‑Link DGS‑3420 firmware to the latest release that removes the cross‑site scripting flaw in the System Information Settings page.
Limit access to the router’s web management interface to trusted internal networks or specific IP addresses, or disable remote management entirely.
If upgrade is not immediately possible, block or disable the System Information Settings page using the router’s firewall or access‑control rules, preventing the vulnerable input from being reached.

Generated by OpenCVE AI on April 28, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Complete

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://vuldb.com/submit/797877
https://vuldb.com/vuln/359606
https://vuldb.com/vuln/359606/cti
https://www.dlink.com/

History

Thu, 30 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink dgs-3420-28tc Dlink dgs-3420-28tc Firmware
CPEs		cpe:2.3:h:dlink:dgs-3420-28tc:-:::::::* cpe:2.3:o:dlink:dgs-3420-28tc_firmware:1.50.018:::::::*
Vendors & Products		Dlink Dlink dgs-3420-28tc Dlink dgs-3420-28tc Firmware

Mon, 27 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link dgs-3420
Vendors & Products		D-link D-link dgs-3420

Mon, 27 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 26 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in D-Link DGS-3420 1.50.018. This issue affects some unknown processing of the component System Information Settings Page. This manipulation of the argument System Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title		D-Link DGS-3420 System Information Settings cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://vuldb.com/submit/797877 https://vuldb.com/vuln/359606 https://vuldb.com/vuln/359606/cti https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 6.1, 'vector': 'AV:N/AC:L/Au:M/C:N/I:C/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Dgs-3420

Dlink Dgs-3420-28tc Dgs-3420-28tc Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T07:15:12.717Z

Updated: 2026-04-27T13:31:45.153Z

Reserved: 2026-04-25T14:13:55.932Z

Link: CVE-2026-7026

Vulnrichment

Updated: 2026-04-27T13:19:00.889Z

NVD

Status : Analyzed

Published: 2026-04-26T08:16:01.513

Modified: 2026-04-30T14:11:03.170

Link: CVE-2026-7026

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Complete

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object