OS Command Injection in /goform/setSysAdmin of D-Link DCS-931L <=1.13.0 (IoT)
CVE-2026-2260 Published on February 10, 2026

D-Link DCS-931L setSysAdmin os command injection
A vulnerability was found in D-Link DCS-931L up to 1.13.0. This affects an unknown part of the file /goform/setSysAdmin. The manipulation of the argument AdminID results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.

NVD

Timeline

Advisory disclosed

VulDB entry created

VulDB entry last update 1 day later.

Weakness Types

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2026-2260 has been classified to as a Shell injection vulnerability or weakness.

What is a Command Injection Vulnerability?

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CVE-2026-2260 has been classified to as a Command Injection vulnerability or weakness.


Affected Versions

D-Link DCS-931L:

Exploit Probability

EPSS
0.24%
Percentile
47.02%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.