CVE-2026-8346 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8346 — A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command injection. The attack can be initiated remotely. The exploit is now public and may be used.
What This Means For You
- If your environment is affected by CWE-74, CWE-77, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-8346 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8346 D-Link DIR-816 Port Forwarding Command Injection
title: CVE-2026-8346 D-Link DIR-816 Port Forwarding Command Injection
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects exploitation attempts against D-Link DIR-816 devices via the portForward function. The vulnerability (CVE-2026-8346) allows command injection by manipulating the 'ip_address' parameter. This rule specifically looks for the '/goform/portForward' URI and the presence of command injection characters like '&&' or ';' within the 'ip_address' parameter in the query string.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8346/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/goform/portForward'
cs-uri-query|contains:
- 'ip_address='
cs-uri-query|contains:
- '&&'
cs-uri-query|contains:
- ';'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8346 | vulnerability | CVE-2026-8346 |
| CWE-74 | weakness | CWE-74 |
| CWE-77 | weakness | CWE-77 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 03:17 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45321: TanStack npm Packages Hit by Critical Supply Chain Attack
CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes...
CVE-2026-8349 — Omec-Project Amf Vulnerability
CVE-2026-8349 — A flaw has been found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGAP Message Handler. Executing...
CVE-2026-8345 — D-Link DIR-816 1.10CNB05_R1B011D88210 Command Injection
CVE-2026-8345 — A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such...