Cyber Resilience

CVE-2026-4465

MediumPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0309 86.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4465 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-513. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4465 is an OS command injection vulnerability (CWE-77, CWE-78) in the D-Link DIR-513 router running firmware version 1.10. The flaw affects an unknown function within the /goform/formSysCmd file, where manipulation of the sysCmd argument triggers the injection.

The vulnerability enables remote exploitation (AV:N) by attackers with low privileges (PR:L), requiring low complexity (AC:L) and no user interaction (UI:N). Successful exploitation can result in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS 3.1 base score of 6.3. An exploit has been publicly published.

This issue impacts products no longer supported by the maintainer, with no patches available. Relevant advisories appear in VulDB entries (ctiid.351755, id.351755, submit.772866) and a GitHub-hosted PDF detailing the flaw, alongside the D-Link website.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in D-Link DIR-513 1.10. The impacted element is an unknown function of the file /goform/formSysCmd. Executing a manipulation of the argument sysCmd can lead to os command injection. The attack may be launched remotely. The…

more

exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via OS command injection in router firmware, directly facilitating Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70233Same product: Dlink Dir-513
CVE-2025-70237Same product: Dlink Dir-513
CVE-2025-70229Same product: Dlink Dir-513
CVE-2025-70234Same product: Dlink Dir-513
CVE-2025-70245Same product: Dlink Dir-513
CVE-2026-3978Same product: Dlink Dir-513
CVE-2025-70221Same product: Dlink Dir-513
CVE-2025-70246Same product: Dlink Dir-513
CVE-2025-70239Same product: Dlink Dir-513
CVE-2025-70226Same product: Dlink Dir-513

Affected Assets

dlink
dir-513 firmware
1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating and sanitizing the sysCmd argument in /goform/formSysCmd.

prevent

Mitigates risks from the unsupported D-Link DIR-513 firmware by disabling or isolating vulnerable unsupported components.

preventrecover

Addresses the specific command injection flaw through remediation or compensating controls despite lack of vendor patches.

References