CVE-2026-11339

EUVD-2026-34859
A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/7u7777/Dlink/blob/DWR-M920/formUSSDSetup.md
https://vuldb.com/cve/CVE-2026-11339
https://vuldb.com/submit/832579
https://vuldb.com/vuln/368881
https://vuldb.com/vuln/368881/cti
https://www.dlink.com/