{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4555", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-21T17:01:53.514Z", "datePublished": "2026-03-22T16:51:22.507Z", "dateUpdated": "2026-03-23T15:28:12.714Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T16:51:22.507Z"}, "title": "D-Link DIR-513 boa formEasySetTimezone memory corruption", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "D-Link", "product": "DIR-513", "versions": [{"version": "1.10", "status": "affected"}], "modules": ["boa"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DIR-513 1.10. The impacted element is the function formEasySetTimezone of the file /goform/formEasySetTimezone of the component boa. This manipulation of the argument curTime causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 9, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-21T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-21T18:07:09.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LtzHust2 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352382", "name": "VDB-352382 | D-Link DIR-513 boa formEasySetTimezone memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352382", "name": "VDB-352382 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774936", "name": "Submit #774936 | D-Link DIR-513 1.10 Stack-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/Dir513/vul_24/README.md", "tags": ["exploit"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}], "tags": ["unsupported-when-assigned"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:28:03.109187Z", "id": "CVE-2026-4555", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:28:12.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"tags": ["unsupported-when-assigned"], "title": "D-Link DIR-513 boa formEasySetTimezone memory corruption", "credits": [{"lang": "en", "type": "reporter", "value": "LtzHust2 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 9, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "D-Link", "modules": ["boa"], "product": "DIR-513", "versions": [{"status": "affected", "version": "1.10"}]}], "timeline": [{"lang": "en", "time": "2026-03-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-21T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-21T18:07:09.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352382", "name": "VDB-352382 | D-Link DIR-513 boa formEasySetTimezone memory corruption", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352382", "name": "VDB-352382 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.774936", "name": "Submit #774936 | D-Link DIR-513 1.10 Stack-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/Dir513/vul_24/README.md", "tags": ["exploit"]}, {"url": "https://www.dlink.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DIR-513 1.10. The impacted element is the function formEasySetTimezone of the file /goform/formEasySetTimezone of the component boa. This manipulation of the argument curTime causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-22T16:51:22.507Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4555", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T15:28:03.109187Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T15:28:07.405Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-4555", "state": "PUBLISHED", "dateUpdated": "2026-03-22T16:51:22.507Z", "dateReserved": "2026-03-21T17:01:53.514Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-22T16:51:22.507Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dir-513_firmware:1.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DF100F1-CDF4-4B41-B19F-D576B72DC3CD", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-513:-:*:*:*:*:*:*:*", "matchCriteriaId": "0BA55B8A-4781-4004-B936-0F212C1A6316", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [{"sourceIdentifier": "cna@vuldb.com", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in D-Link DIR-513 1.10. The impacted element is the function formEasySetTimezone of the file /goform/formEasySetTimezone of the component boa. This manipulation of the argument curTime causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Una debilidad ha sido identificada en D-Link DIR-513 1.10. El elemento afectado es la funci\u00f3n formEasySetTimezone del archivo /goform/formEasySetTimezone del componente boa. Esta manipulaci\u00f3n del argumento curTime causa desbordamiento de b\u00fafer basado en pila. El ataque puede ser iniciado remotamente. El exploit ha sido puesto a disposici\u00f3n del p\u00fablico y podr\u00eda ser usado para ataques. Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor."}], "id": "CVE-2026-4555", "lastModified": "2026-04-03T19:31:00.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-22T17:17:09.937", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Litengzheng/vul_db/blob/main/Dir513/vul_24/README.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.352382"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.352382"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.774936"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.dlink.com/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.10"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "DIR-513", "source": "cna", "vendor": "D-Link"}, "product": "dir-513", "vendor": "d-link"}], "analysis": {"en": {"generated_at": "2026-03-22T18:21:55.260022+00:00", "value": {"mitigation_remediation": ["Check the D\u2011Link website for a firmware upgrade that addresses the buffer overflow and install it as soon as it becomes available.", "If no update can be obtained, disable the web management interface or block HTTP/HTTPS ports to stop remote access.", "If disabling the interface is not feasible, replace the DIR\u2011513 router with a supported model that has a patched firmware."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via stack-based buffer overflow"}, "threat_synthesis": {"affected_systems": "D\u2011Link DIR\u2011513 routers running firmware version 1.10. The affected product is no longer supported by the vendor, so it does not receive security updates.", "description_and_impact": "A stack-based buffer overflow occurs in the formEasySetTimezone function in the boa component of the DIR\u2011513 router firmware. When the curTime argument is manipulated, the function overflows a buffer on the stack, allowing an attacker to execute arbitrary code on the device. The exposed web interface can be accessed remotely, and the vulnerability is public, making exploitation straightforward once an attacker is able to send crafted input.", "risk_and_exploitability": "The CVSS score of 8.7 reflects a high severity and the description states that the attack can be initiated remotely. EPSS data is not available, and the vulnerability is not listed in the KEV catalog. Because the exploit is publicly available and can be triggered from a network location, the risk of real-world exploitation is significant. The lack of vendor support limits the possibility of a formal patch, increasing the likelihood that affected devices will remain vulnerable unless mitigated by disabling the web interface or replacing the hardware."}}}}, "created": "2026-03-23T09:45:53.816305+00:00", "updated": "2026-03-25T14:50:28.880912+00:00", "vendors": ["d-link", "d-link$PRODUCT$dir-513"]}