D-Link DIR-823X set_language os command injection

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Problem type

Affected products

D-Link

DIR-823X

250416 - AFFECTED

References

VDB-344651 | D-Link DIR-823X set_language os command injection

https://vuldb.com/?id.344651

vdb-entrytechnical-description

VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.344651

signaturepermissions-required

Submit #746379 | D-Link DIR 250416 OS Command Injection

https://vuldb.com/?submit.746379

third-party-advisory

Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate)

https://vuldb.com/?submit.746380

third-party-advisory

github.com

https://github.com/master-abc/cve/issues/24

exploitissue-tracking

dlink.com

https://www.dlink.com/

product

GitHub Security Advisories

GHSA-r7qq-8r7x-5553

A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the...

https://github.com/advisories/GHSA-r7qq-8r7x-5553

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-2084

github.com

https://github.com/master-abc/cve/issues/24

vuldb.com

https://vuldb.com/?ctiid.344651

vuldb.com

https://vuldb.com/?id.344651

vuldb.com

https://vuldb.com/?submit.746379

vuldb.com

https://vuldb.com/?submit.746380

dlink.com

https://www.dlink.com

github.com

https://github.com/advisories/GHSA-r7qq-8r7x-5553

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2084

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2084",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-02-07T11:32:09.250Z",
    "dateReserved": "2026-02-06T08:15:49.330Z",
    "datePublished": "2026-02-07T11:32:09.250Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-02-07T11:32:09.250Z"
      },
      "title": "D-Link DIR-823X set_language os command injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks."
        }
      ],
      "affected": [
        {
          "vendor": "D-Link",
          "product": "DIR-823X",
          "versions": [
            {
              "version": "250416",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "OS Command Injection",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Command Injection",
              "cweId": "CWE-77",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.344651",
          "name": "VDB-344651 | D-Link DIR-823X set_language os command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.344651",
          "name": "VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.746379",
          "name": "Submit #746379 | D-Link DIR 250416 OS Command Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.746380",
          "name": "Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate)",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/master-abc/cve/issues/24",
          "tags": [
            "exploit",
            "issue-tracking"
          ]
        },
        {
          "url": "https://www.dlink.com/",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "baseScore": 7.2,
            "baseSeverity": "HIGH"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "baseScore": 8.3
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-06T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-02-06T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-02-06T09:20:54.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "942384053 (VulDB User)",
          "type": "reporter"
        }
      ]
    }
  }
}