Description
A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used.
Published: 2026-04-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via the Wireless Network Name field
Action: Apply firmware patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the Wireless Setup Section of the D‑Link DSL‑2740R firmware version EU_01.15. By providing a crafted value for the Wireless Network Name argument, an attacker can inject arbitrary client‑side scripts. The impact is the ability to deface the web interface, steal session cookies, or execute arbitrary JavaScript in the context of an authenticated user’s browser. The vulnerability is a classic reflected XSS (CWE‑79) and also involves a code injection component (CWE‑94) where the crafted input is processed by the router’s software.

Affected Systems

The affected product is the D‑Link DSL‑2740R router running firmware EU_01.15. Users should verify that their device matches this build before checking for a vulnerable configuration. No other versions or editions were listed as impacted.

Risk and Exploitability

The CVSS score of 4.8 places this issue in the moderate risk range, and the EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis. The defect is not listed in the CISA KEV catalog. Because the attack can be performed remotely through the router’s web interface and the exploit code is publicly available, the potential impact depends on the attacker’s level of access to the router’s management console. The exploit requires the ability to submit an HTTP request to the Wireless Setup endpoint. An attacker with network access to the router’s LAN or WAN side can send the malicious payload. Once the payload is executed in a victim’s browser, it can perform phishing, data theft, or other client‑side attacks. Given the moderate CVSS score but low EPSS, the practical risk is considered moderate; however, in environments where the router’s web interface is exposed to the Internet or to untrusted networks, the threat is elevated.

Generated by OpenCVE AI on April 28, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to the latest version that includes the XSS fix. Check D‑Link’s support site for the patch for DSL‑2740R.
  • If a firmware upgrade is not immediately available, restrict remote access to the device by disabling the WAN‑side web management or applying a firewall rule to block all inbound traffic to the router’s HTTP/HTTPS ports.
  • Apply network segmentation or use a VPN to isolate the router’s management traffic from untrusted networks.
  • As a temporary measure, avoid entering any JavaScript or unusual characters into the Wireless Network Name field. Replace the SSID with a plain alphanumeric name that does not trigger content‑injection bugs.

Generated by OpenCVE AI on April 28, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dsl-2740r
Dlink dsl-2740r Firmware
CPEs cpe:2.3:h:dlink:dsl-2740r:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dsl-2740r_firmware:eu_01.15:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dsl-2740r
Dlink dsl-2740r Firmware

Mon, 27 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dsl-2740r
Vendors & Products D-link
D-link dsl-2740r

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in D-Link DSL-2740R EU_01.15. Impacted is an unknown function of the component Wireless Setup Section. Such manipulation of the argument Wireless Network Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used.
Title D-Link DSL-2740R Wireless Setup Section cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Dsl-2740r
Dlink Dsl-2740r Dsl-2740r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T13:48:51.727Z

Reserved: 2026-04-25T14:15:21.357Z

Link: CVE-2026-7027

cve-icon Vulnrichment

Updated: 2026-04-27T13:48:46.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-26T09:16:17.967

Modified: 2026-04-30T14:10:56.920

Link: CVE-2026-7027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses