CVE-2026-7067
Published: 27 April 2026
Summary
CVE-2026-7067 is a medium-severity Injection (CWE-74) vulnerability in Notion (inferred from references). Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 14.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7067 is a command injection vulnerability in the D-Link DIR-822 A_101 router, specifically in the system function within the file /udhcpcd/dhcpd.c of the udhcpd DHCP service component. The flaw is triggered by improper handling of the Hostname argument and is tracked under CWE-74 and CWE-77. It carries a CVSS 4.0 score of 5.5 and affects only the discontinued A_101 firmware version of this end-of-life device.
An unauthenticated attacker can exploit the issue remotely by supplying a crafted DHCP Hostname value that results in arbitrary command execution on the device. Successful exploitation grants limited control over the affected system, including the ability to read, modify, or disrupt local resources without requiring user interaction.
The device is no longer supported by D-Link, and no patches or mitigations are referenced in available advisories. Public exploit code has been disclosed, though the EPSS score remains flat at 0.0248 with no observed increase after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25737
Vulnerability details
A vulnerability was determined in D-Link DIR-822 A_101. The impacted element is the function system of the file /udhcpcd/dhcpd.c of the component udhcpd DHCP Service. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…
more
The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in udhcpd DHCP service enables remote unauthenticated code execution on the router, mapping to exploitation of remote services (T1210) and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents command injection by requiring validation and sanitization of untrusted inputs such as the DHCP Hostname argument in udhcpd.
SI-2 mandates timely remediation of flaws like this command injection vulnerability through patching or compensating controls.
SA-22 prohibits or mitigates the use of unsupported end-of-life components like the vulnerable D-Link DIR-822, where no patches are available.