Command Injection Vulnerability in D-Link DWR-M961 Router
CVE-2026-1596

5.3MEDIUM

Key Information:

Vendor: D-link
Status: Dwr-m961
Vendor: CVE Published:; 29 January 2026

What is CVE-2026-1596?

A command injection vulnerability exists in the D-Link DWR-M961 router, specifically within the function sub_419920 of the /boafrm/formLtefotaUpgradeQuectel file. This security flaw allows for unauthorized manipulation of the fota_url argument, potentially enabling an attacker to execute arbitrary commands on the device remotely. The exploit has been made public, raising concerns over the security of networks utilizing this router model.

Affected Version(s)

DWR-M961 1.1.47

References

https://vuldb.com/?id.343358

vdb-entrytechnical-description

https://vuldb.com/?ctiid.343358

signaturepermissions-required

https://vuldb.com/?submit.740693

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

hhsw34 (VulDB User)

CVE-2026-1596 Data

JSON