Cyber Resilience

CVE-2026-1419

MediumPublic PoC

Published: 26 January 2026

Published
26 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 23.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1419 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dcs-700L Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-1419 is a command injection vulnerability affecting the D-Link DCS700l camera running firmware version 1.03.09. The issue resides in an unknown function within the /setDayNightMode file of the Web Form Handler component, where manipulation of the LightSensorControl argument enables command injection. This flaw, associated with CWE-74 and CWE-77, was published on 2026-01-26 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an attacker who possesses high privileges (PR:H). By crafting and submitting a malicious LightSensorControl argument, the attacker can inject and execute arbitrary commands on the device, potentially resulting in low-level impacts to confidentiality, integrity, and availability.

Advisories and references, including detailed write-ups on VulDB (ctiid.342815, id.342815, submit.736554) and a Notion.site page, document the vulnerability and note that a public exploit is available, increasing the risk of attacks. The vendor site at dlink.com is referenced, but no specific patch or mitigation details are outlined in the provided information.

EU & UK References

Vulnerability details

A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be…

more

launched remotely. The exploit has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection via web form parameter directly enables remote exploitation of the public-facing camera interface and arbitrary Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2194Same vendor: Dlink
CVE-2026-2218Same vendor: Dlink
CVE-2026-4203Same vendor: Dlink
CVE-2026-4207Same vendor: Dlink
CVE-2025-10628Same vendor: Dlink
CVE-2026-4210Same vendor: Dlink
CVE-2026-4197Same vendor: Dlink
CVE-2025-10634Same vendor: Dlink
CVE-2025-10629Same vendor: Dlink
CVE-2026-8345Same vendor: Dlink

Affected Assets

dlink
dcs-700l firmware
1.03.09

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the LightSensorControl argument in /setDayNightMode to block command injection (CWE-77).

prevent

Enforces least privilege so that only the minimal set of authenticated users can reach the vulnerable web form handler, reducing the population able to supply a malicious LightSensorControl value.

prevent

Mandates timely application of vendor patches or firmware updates that remediate the command-injection flaw in the D-Link DCS700l web component.

References