PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10878 D-Link CVE debrief

A low-severity vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. The function sub_41C8E8 of the file /boafrm/formSmsManage is affected, allowing for command injection through manipulation of the argument action_value. The attack can be carried out remotely. For more information, refer to [resourceLinkAnnotations id='ref-4'] and [resourceLinkAnnotations id='nvd'].

Vendor
D-Link
Product
DWR-M920
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-05
Advisory published
2026-06-05
Advisory updated
2026-06-05

Who should care

Administrators and users of D-Link DWR-M920 firmware versions 1.1.50 and 1.1.70 should be aware of this vulnerability.

Technical summary

The vulnerability has a CVSS score of 2.1 and is classified as CWE-74 and CWE-77. It allows for command injection through the manipulation of the argument action_value in the function sub_41C8E8 of the file /boafrm/formSmsManage. The attack can be carried out remotely.

Defensive priority

Low

Recommended defensive actions

  • Update to a fixed version of the firmware if available.
  • Refer to [resourceLinkAnnotations id='ref-5'] and [resourceLinkAnnotations id='ref-9'] for additional information and potential mitigations.

Evidence notes

The vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. The function sub_41C8E8 of the file /boafrm/formSmsManage is affected.

Official resources

CVE-2026-10878 was published on [cvePublishedAt] and modified on [cveModifiedAt].