CVE-2026-7856 - Vulnerability Details

- D-Link DI-8100 Web Management url_member.asp buffer overflow

Description

A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.

Published: 2026-05-05

Score: 8.6 High

EPSS: 4.6% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic buffer overflow in the /url_member.asp component of the web management interface of the D-Link DI‑8100 router. Manipulation of the Name input parameter allows an attacker to exceed the allocated buffer, potentially overwriting executable memory and enabling arbitrary code execution. This flaw, corresponding to CWE-119 and CWE-120, is triggered remotely; based on the description, it is inferred that an attacker could execute a crafted payload without requiring prior credentials, although this is not explicitly stated.

Affected Systems

Affected systems are D‑Link DI‑8100 routers that are running firmware version 16.07.26A1. The vulnerability description references an unknown part of /url_member.asp, implying that this exact firmware build is vulnerable. Administrators should verify that their devices match this revision or are newer.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability, and the existence of a published exploit shows that exploitation can be performed remotely; based on the description, the attack vector is inferred to be unauthenticated, although this is not explicitly stated. The EPSS score of 5% indicates a moderate likelihood of exploitation, and the public availability of an exploit and the remote attack vector increase the likelihood of real‑world attacks. The vulnerability is not currently listed in the CISA KEV catalog, yet its severity warrants prompt action.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

D-Link

DI-8100

affected

Version	Status	Constraints
`16.07.26A1`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:dlink:di-8100_firmware:16.07.26a1:*:*:*:*:*:*:*

cpe:2.3:h:dlink:di-8100:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

D-link

Di-8100

100%

Version	Status	Scheme	Platform
`16.07.26A1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the DI‑8100 firmware to the latest version released by D-Link that contains the buffer‑overflow fix.
Restrict access to the web management interface to trusted IP addresses or subnets, and enforce HTTPS with strong authentication where possible.
Deploy network perimeter controls or segmentation to block unauthenticated HTTP traffic to the router's management ports.

Generated by OpenCVE AI on June 18, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.04589.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md
https://vuldb.com/submit/807849
https://vuldb.com/vuln/361133
https://vuldb.com/vuln/361133/cti
https://www.dlink.com/

History

Wed, 06 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dlink Dlink di-8100 Dlink di-8100 Firmware
CPEs		cpe:2.3:h:dlink:di-8100:-:::::::* cpe:2.3:o:dlink:di-8100_firmware:16.07.26a1:::::::*
Vendors & Products		Dlink Dlink di-8100 Dlink di-8100 Firmware

Tue, 05 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		D-link D-link di-8100
Vendors & Products		D-link D-link di-8100

Tue, 05 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 05 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.
Title		D-Link DI-8100 Web Management url_member.asp buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md https://vuldb.com/submit/807849 https://vuldb.com/vuln/361133 https://vuldb.com/vuln/361133/cti https://www.dlink.com/
Metrics		cvssV2_0 `{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

D-link Di-8100

Dlink Di-8100 Di-8100 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-05T19:00:14.098Z

Updated: 2026-05-05T19:30:58.408Z

Reserved: 2026-05-05T11:41:27.815Z

Link: CVE-2026-7856

Vulnrichment

Updated: 2026-05-05T19:30:54.320Z

NVD

Status : Analyzed

Published: 2026-05-05T20:16:41.500

Modified: 2026-06-17T11:03:02.803

Link: CVE-2026-7856

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object