CVE-2026-13545 | A vulnerability has been found in D-Link DCS-935L 1.10.01. T… | CVSS 8.8 HIGH

Description

A vulnerability has been found in D-Link DCS-935L 1.10.01. This affects the function sub_400E40 of the file setconf.cgi of the component POST Parameter Handler. Such manipulation of the argument UID leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Metadata

CVE ID: CVE-2026-13545
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-28 10:17 UTC
Published: 2026-06-29 07:00 UTC
Last updated: 2026-06-29 07:00 UTC
Primary CWE: CWE-78
OS Command Injection
Vendor / Product: D-Link / DCS-935L
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
D-Link	DCS-935L	—	1.10.01

Weakness (CWE)

CWE	Source	Description
CWE-77	cna	Command Injection
CWE-78	cna	OS Command Injection

CVSS scores (4)

Score	Severity	Version	Source	Vector
9.0	N/D	2.0	cna	AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR
8.8	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
8.8	HIGH	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R
8.7	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (6)

VDB-374553 | D-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection https://vuldb.com/vuln/374553
VDB-374553 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/374553/cti
CVE-2026-13545 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13545
Submit #842589 | D-Link DCS-935L HD Wi-Fi Camera 1.10.01 CWE-78: OS Command Injection https://vuldb.com/submit/842589
https://github.com/Real-Simplicity/cve-database/tree/main/CVE_Report_DLink_DCS935L_Command_Injection
https://www.dlink.com/