CVE-2026-5213

HighPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5213 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents the stack-based buffer overflow by validating the length and format of the read_list argument in the cgi_adduser_to_session function.

SI-16 Memory Protection good match

prevent

Mitigates stack-based buffer overflows through memory safeguards like stack canaries, address space layout randomization, and data execution prevention.

SI-2 Flaw Remediation good match

prevent

Addresses the vulnerability by identifying, reporting, and correcting the buffer overflow flaw via firmware updates for affected D-Link NAS devices.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing web CGI (/cgi-bin/account_mgr.cgi) on NAS devices enables remote exploitation of the application for initial access and code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_adduser_to_session of the file…

/cgi-bin/account_mgr.cgi. This manipulation of the argument read_list causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

Deeper analysisAI

CVE-2026-5213 is a stack-based buffer overflow vulnerability affecting multiple D-Link Network Attached Storage (NAS) devices, including models DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with firmware versions up to 20260205. The flaw resides in the cgi_adduser_to_session function of the /cgi-bin/account_mgr.cgi file, where manipulation of the read_list argument triggers the overflow.

Attackers can exploit this vulnerability remotely over the network with low privileges required and no user interaction needed, as indicated by the CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8. Successful exploitation grants high impacts on confidentiality, integrity, and availability. The vulnerability maps to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

Advisories and additional details are available via VulDB entries (https://vuldb.com/vuln/354350, https://vuldb.com/vuln/354350/cti, https://vuldb.com/submit/780437) and the D-Link website (https://www.dlink.com/). A proof-of-concept exploit has been publicly disclosed in a GitHub repository (https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_168/168.md).

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

dlink

dnr-202l firmware

≤ 2026-02-05

dlink

dnr-326 firmware

≤ 2026-02-05

dlink

dns-1100-4 firmware

≤ 2026-02-05

dlink

dns-120 firmware

≤ 2026-02-05

dlink

dns-1200-05 firmware

≤ 2026-02-05

dlink

dns-1550-04 firmware

≤ 2026-02-05

dlink

dns-315l firmware

≤ 2026-02-05

dlink

dns-320 firmware

≤ 2026-02-05

dlink

dns-320l firmware

≤ 2026-02-05

dlink

dns-320lw firmware

≤ 2026-02-05

+10 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2026-4211Same product: Dlink Dnr-202L

CVE-2026-5212Same product: Dlink Dnr-202L

CVE-2026-5214Same product: Dlink Dnr-202L

CVE-2026-5211Same product: Dlink Dnr-202L

CVE-2026-4214Same product: Dlink Dnr-202L

CVE-2026-4213Same product: Dlink Dnr-202L

CVE-2026-4212Same product: Dlink Dnr-202L

CVE-2026-4194Same product: Dlink Dnr-202L

CVE-2026-4197Same product: Dlink Dnr-202L

CVE-2026-4196Same product: Dlink Dnr-202L

References

https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_168/168.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/780437
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354350
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354350/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.dlink.com/
Product · cna@vuldb.com