CVE Catalog

CVE-2026-13545

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.56%

72th percentile — higher than 72% of all known CVEs

Summary

A vulnerability was found in D-Link DCS-935L camera firmware version 1.10.01, allowing OS command injection. The issue resides in the sub_400E40 function of the setconf.cgi file, where the UID argument is mishandled by the POST Parameter Handler component. The attack can be launched remotely, and exploit details are publicly available.

Risk Assessment

The organization is at risk of remote takeover of the D-Link DCS-935L camera, enabling an attacker to execute arbitrary system commands, potentially compromising data confidentiality and integrity, and facilitating further network attacks.

Recommendation

Immediately update the D-Link DCS-935L camera firmware to the latest version if a patch is available. If no update exists, restrict external network access to the camera and apply firewall rules to block unauthorized requests to the CGI interface.

Original NVD description (English source)

A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS