Command Injection Vulnerability in D-Link DWR-M961 Router
CVE-2026-1624

5.3MEDIUM

Key Information:

Vendor: D-link
Status: Dwr-m961
Vendor: CVE Published:; 29 January 2026

What is CVE-2026-1624?

A security vulnerability has been identified in the D-Link DWR-M961 router, specifically in the unknown function of the file /boafrm/formLtefotaUpgradeFibocom. This flaw allows attackers to execute arbitrary commands on the device by manipulating the 'fota_url' argument. The attack can be carried out remotely, exposing systems to potential exploitation. Public disclosure of this vulnerability raises concerns among users, highlighting the need for prompt remediation.

Affected Version(s)

DWR-M961 1.1.47

References

https://vuldb.com/?id.343383

vdb-entrytechnical-description

https://vuldb.com/?ctiid.343383

signaturepermissions-required

https://vuldb.com/?submit.740770

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

hhsw34 (VulDB User)

CVE-2026-1624 Data

JSON