Cyber Resilience

CVE-2026-7067

Medium

Published: 27 April 2026

Published
27 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0248 85.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7067 is a medium-severity Injection (CWE-74) vulnerability in Notion (inferred from references). Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7067 is a command injection vulnerability in the D-Link DIR-822 A_101 router, specifically in the system function within the file /udhcpcd/dhcpd.c of the udhcpd DHCP service component. The flaw is triggered by improper handling of the Hostname argument and is tracked under CWE-74 and CWE-77. It carries a CVSS 4.0 score of 5.5 and affects only the discontinued A_101 firmware version of this end-of-life device.

An unauthenticated attacker can exploit the issue remotely by supplying a crafted DHCP Hostname value that results in arbitrary command execution on the device. Successful exploitation grants limited control over the affected system, including the ability to read, modify, or disrupt local resources without requiring user interaction.

The device is no longer supported by D-Link, and no patches or mitigations are referenced in available advisories. Public exploit code has been disclosed, though the EPSS score remains flat at 0.0248 with no observed increase after publication.

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link DIR-822 A_101. The impacted element is the function system of the file /udhcpcd/dhcpd.c of the component udhcpd DHCP Service. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…

more

The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in udhcpd DHCP service enables remote unauthenticated code execution on the router, mapping to exploitation of remote services (T1210) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-2729Shared CWE-74, CWE-77
CVE-2025-2731Shared CWE-74, CWE-77
CVE-2025-2727Shared CWE-74, CWE-77
CVE-2025-2725Shared CWE-74, CWE-77
CVE-2025-15139Shared CWE-74, CWE-77
CVE-2025-14108Shared CWE-74, CWE-77
CVE-2025-7836Shared CWE-74, CWE-77
CVE-2025-14106Shared CWE-74, CWE-77
CVE-2025-46122Shared CWE-77
CVE-2026-20147Shared CWE-77

Affected Assets

Notion
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents command injection by requiring validation and sanitization of untrusted inputs such as the DHCP Hostname argument in udhcpd.

prevent

SI-2 mandates timely remediation of flaws like this command injection vulnerability through patching or compensating controls.

prevent

SA-22 prohibits or mitigates the use of unsupported end-of-life components like the vulnerable D-Link DIR-822, where no patches are available.

References