Command Injection Vulnerability in D-Link DWR-M961 Router
CVE-2026-1625

5.3MEDIUM

Key Information:

Vendor: D-link
Status: Dwr-m961
Vendor: CVE Published:; 29 January 2026

What is CVE-2026-1625?

A command injection vulnerability exists in the D-Link DWR-M961 router, specifically within the SMS Message management functionality. This weakness is triggered when input values are manipulated in the action_value parameter of the function sub_4250E0 within the file path /boafrm/formSmsManage. An attacker can exploit this vulnerability remotely to execute arbitrary commands. The details of the exploit have been made public, exposing the affected product to potential attacks.

Affected Version(s)

DWR-M961 1.1.47

References

https://vuldb.com/?id.343384

vdb-entrytechnical-description

https://vuldb.com/?ctiid.343384

signaturepermissions-required

https://vuldb.com/?submit.740792

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

Credit

hhsw34 (VulDB User)

CVE-2026-1625 Data

JSON