Description
A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-05
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in the url_rule.asp POST Parameter Handler of D‑Link DI‑8100 firmware 16.07.26A1 when a malicious user sends an oversized payload to the /url_rule.asp endpoint. The flaw is a classic unbounded memory write (CWE‑119, CWE‑120) and can allow arbitrary code execution on the device. The vendor description states that the vulnerability is exploitable remotely and the exploit has been publicly disclosed, implying that attackers could trigger it from outside the local network.

Affected Systems

The affected system is the D‑Link DI‑8100 router running firmware version 16.07.26A1. No other versions or models are listed in the CNA data.

Risk and Exploitability

The CVSS score of 9.3 denotes a critical severity, and the lack of an EPSS score means the exploitation likelihood cannot be quantified from public data. The vulnerability is not listed in CISA’s KEV catalog, but the public disclosure and remote-attack nature suggest that it may be actively exploited. An attacker who can reach the router’s web interface can send a crafted POST request to /url_rule.asp, causing the buffer overflow and potentially gaining full control of the device.

Generated by OpenCVE AI on May 5, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the DI‑8100 firmware to the latest version that addresses the buffer overflow flaw
  • If an update is not available, block or drop HTTP POST requests to /url_rule.asp or disable the URL rule feature via the router’s configuration
  • Restrict access to the router’s administrative interface to trusted IPs and enforce strong authentication to limit the attack surface

Generated by OpenCVE AI on May 5, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link di-8100
Vendors & Products D-link
D-link di-8100

Tue, 05 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.
Title D-Link DI-8100 POST Parameter url_rule.asp url_rule_asp buffer overflow
Weaknesses CWE-119
CWE-120
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link Di-8100
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T18:15:14.438Z

Reserved: 2026-05-05T11:39:23.996Z

Link: CVE-2026-7854

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T19:16:23.540

Modified: 2026-05-05T19:30:02.603

Link: CVE-2026-7854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T19:30:30Z

Weaknesses