CVE-2026-8272 MEDIUM

CVE-2026-8272: D-Link DNS-320 webfile_mgr.cgi chown os command injection

Vendor D-Link
Product DNS-320
Weakness CWE-78
Published May 11, 2026
Last update May 12, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in D-Link DNS-320 2.06B01. This affects the function delete/rename/copy/move/chmod/chown of the file /cgi-bin/webfile_mgr.cgi. The manipulation results in os command injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 12, 2026 Record updated