{"api_version":"1","generated_at":"2026-04-23T13:53:34+00:00","cve":"CVE-2022-26670","urls":{"html":"https://cve.report/CVE-2022-26670","api":"https://cve.report/api/cve/CVE-2022-26670.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-26670","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-26670"},"summary":{"title":"CVE-2022-26670","description":"D-Link DIR-878 has inadequate filtering for special characters in the webpage input field. An unauthenticated LAN attacker can perform command injection attack to execute arbitrary system commands to control the system or disrupt service.","state":"PUBLIC","assigner":"cve@cert.org.tw","published_at":"2022-04-07 19:15:00","updated_at":"2022-04-14 18:37:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://www.twcert.org.tw/tw/cp-132-5972-c259e-1.html","name":"https://www.twcert.org.tw/tw/cp-132-5972-c259e-1.html","refsource":"MISC","tags":[],"title":"TWCERT/CC台灣電腦網路危機處理暨協調中心|企業資安通報協處|資安情資分享|漏洞通報|資安聯盟|資安電子報-D-Link DIR-878 - Command Injection","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-26670","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26670","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"26670","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"dlink","cpe5":"dir-878","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26670","vulnerable":"1","versionEndIncluding":"1.20b05","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"dlink","cpe5":"dir-878_firmware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"AKA":"TWCERT/CC","ASSIGNER":"cve@cert.org.tw","DATE_PUBLIC":"2022-03-31T02:26:00.000Z","ID":"CVE-2022-26670","STATE":"PUBLIC","TITLE":"D-Link DIR-878 - Command Injection"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"DIR-878","version":{"version_data":[{"version_affected":"<=","version_value":"1.20b05"}]}}]},"vendor_name":"D-Link"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"D-Link DIR-878 has inadequate filtering for special characters in the webpage input field. An unauthenticated LAN attacker can perform command injection attack to execute arbitrary system commands to control the system or disrupt service."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78 OS Command Injection"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://www.twcert.org.tw/tw/cp-132-5972-c259e-1.html","name":"https://www.twcert.org.tw/tw/cp-132-5972-c259e-1.html"}]},"solution":[{"lang":"eng","value":"Update firmware version to v1.30B08 Hotfix03"}],"source":{"advisory":"TVN-202203003","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2022-04-07 19:15:00","lastModifiedDate":"2022-04-14 18:37:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:A/AC:L/Au:N/C:C/I:C/A:C","accessVector":"ADJACENT_NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":8.3},"severity":"HIGH","exploitabilityScore":6.5,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:dlink:dir-878_firmware:*:*:*:*:*:*:*:*","versionEndIncluding":"1.20b05","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:dlink:dir-878:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":null,"notes":[]}}}