CVE-2026-13545
published 2026-06-29CVE-2026-13545: A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.56%
72.2th percentile
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | dcs-935l | — | — |
| dlink | dcs-935l_firmware | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability has been found in D-Link DCS-935L 1.10.01.
ghsa_unreviewed·2026-06-29
CVE-2026-13545 [HIGH] CWE-77 A vulnerability has been found in D-Link DCS-935L 1.10.01.
A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
VulDB
D-Link DCS-935L 1.10.01 POST Parameter setconf.cgi sub_400E40 UID os command injection
vuldb·2026-06-28
CVE-2026-13545 [CRITICAL] D-Link DCS-935L 1.10.01 POST Parameter setconf.cgi sub_400E40 UID os command injection
A vulnerability labeled as critical has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection.
This vulnerability is uniquely identified as CVE-2026-13545. The attack can be launched remotely. Moreover, an exploit is present.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-29
Published