The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1744

CVE-2026-1744: D-Link DSL-6641K XSS Vulnerability

CVE-2026-1744 is a cross-site scripting flaw in D-Link DSL-6641K routers affecting the doSubmitPPP function. This remotely exploitable vulnerability poses risks to unsupported devices. Learn about technical details, impact, and mitigation.

Published: February 6, 2026

CVE-2026-1744 Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in the D-Link DSL-6641K router running firmware version N8.TR069.20131126. This vulnerability affects the doSubmitPPP function within the sp_pppoe_user.js file, where improper sanitization of the Username argument allows an attacker to inject malicious scripts. The vulnerability can be exploited remotely and has been publicly disclosed, meaning exploit information is available. Notably, this vulnerability affects a product that has reached end-of-life status and is no longer supported by D-Link.

Critical Impact

Attackers with administrative access can inject malicious scripts through the PPPoE configuration interface, potentially leading to session hijacking, credential theft, or administrative account compromise on affected D-Link DSL-6641K routers.

Affected Products

  • D-Link DSL-6641K firmware version N8.TR069.20131126
  • D-Link DSL-6641K routers with web-based management interface enabled
  • End-of-life D-Link networking equipment running vulnerable firmware

Discovery Timeline

  • 2026-02-02 - CVE CVE-2026-1744 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2026-1744

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the doSubmitPPP function within the sp_pppoe_user.js file, which handles PPPoE (Point-to-Point Protocol over Ethernet) user configuration on the router's web management interface.

When an authenticated user with administrative privileges submits configuration data through the PPPoE user interface, the Username parameter is processed without proper input sanitization or output encoding. This allows an attacker to inject arbitrary JavaScript code that will execute in the context of other users' browser sessions when they access the affected configuration page.

Given that the attack requires high privileges (administrative access) and passive user interaction for successful exploitation, the real-world impact is constrained to scenarios where an attacker has already gained administrative access to the router or can trick an administrator into clicking a malicious link. The exploit has been made public, increasing the risk for organizations still running this end-of-life device.

Root Cause

The root cause of this vulnerability is insufficient input validation and output encoding in the doSubmitPPP function. The function fails to properly sanitize user-supplied input in the Username field before reflecting it back in the web interface. This violates secure coding practices that require all user input to be treated as untrusted and properly encoded before being rendered in HTML contexts.

The affected firmware version N8.TR069.20131126 lacks the necessary character filtering or encoding mechanisms to neutralize potentially dangerous characters such as <, >, ", ', and & that are commonly used in XSS attacks.

Attack Vector

The attack is network-based and requires the attacker to have administrative access to the device's web management interface. The exploitation flow involves:

  1. An attacker with administrative credentials accesses the PPPoE configuration page
  2. The attacker submits a malicious payload in the Username field containing JavaScript code
  3. The payload is stored or reflected without proper sanitization
  4. When another administrator or the same user accesses the configuration page, the malicious script executes in their browser context
  5. The script can then steal session cookies, capture keystrokes, or perform actions on behalf of the authenticated user

The vulnerability mechanism involves injecting script content through the Username parameter in the PPPoE user configuration interface. When the web application renders this input without proper encoding, the browser interprets the injected content as executable code. Detailed technical information about this vulnerability can be found in the Notion XSS Vulnerability Report and VulDB entry #343675.

Detection Methods for CVE-2026-1744

Indicators of Compromise

  • Unusual JavaScript content or HTML tags appearing in PPPoE username configuration fields
  • HTTP request logs showing encoded script tags or event handlers in the Username parameter
  • Unexpected outbound connections from client browsers after accessing router management pages
  • Modified or suspicious entries in the PPPoE user configuration settings

Detection Strategies

  • Monitor web application logs for requests to sp_pppoe_user.js containing script tags, event handlers (onload, onerror, onclick), or encoded payloads
  • Implement content security policy (CSP) headers on the management interface to detect and block inline script execution
  • Review router configuration exports for unexpected characters or JavaScript code in username fields
  • Deploy network monitoring to identify anomalous traffic patterns from devices accessing the router's management interface

Monitoring Recommendations

  • Enable detailed logging on the router's web management interface if available
  • Configure SIEM rules to alert on potential XSS payload patterns in HTTP traffic to router management IPs
  • Periodically audit PPPoE configuration settings for unauthorized modifications
  • Monitor for any network connections initiated from administrator workstations immediately after accessing router management pages

How to Mitigate CVE-2026-1744

Immediate Actions Required

  • Replace end-of-life D-Link DSL-6641K devices with currently supported networking equipment
  • Restrict access to the router's web management interface to trusted IP addresses only
  • Disable remote management access from WAN interfaces
  • Implement network segmentation to isolate the management interface from general network traffic
  • Use a dedicated, hardened browser for router administration tasks

Patch Information

This vulnerability affects the D-Link DSL-6641K router which has reached end-of-life status and is no longer supported by the vendor. D-Link has not released and will not release a security patch for this vulnerability. Organizations using this device should prioritize replacement with currently supported hardware. For more information about D-Link products, visit the D-Link Official Website.

Additional vulnerability details and threat intelligence can be found at VulDB #343675 and the VulDB CTI entry.

Workarounds

  • Configure firewall rules to restrict management interface access to specific administrator IP addresses only
  • Disable the web management interface when not actively in use for configuration changes
  • Place the router behind a VPN so management access requires VPN authentication first
  • Implement a web application firewall (WAF) if possible to filter malicious input before it reaches the device
bash
# Example: Restrict management access via iptables on upstream firewall
# Replace 192.168.1.1 with router IP and 192.168.1.100 with admin workstation IP
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 443 -s 192.168.1.100 -j ACCEPT
iptables -A FORWARD -d 192.168.1.1 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechD Link
  • SeverityMEDIUM
  • CVSS Score4.8
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityLow
  • AvailabilityNone
  • CWE References
  • CWE-79
  • Technical References
  • Notion XSS Vulnerability Report
  • VulDB #343675 (CTI)
  • VulDB #343675
  • VulDB Submission #742439
  • D-Link Official Website
  • Related CVEs
  • CVE-2026-1705: D-Link DSL-6641K XSS Vulnerability
  • CVE-2026-5312: D-Link NAS Authentication Bypass Flaw
  • CVE-2026-4486: D-Link DIR-513 Buffer Overflow Vulnerability
  • CVE-2026-4499: D-Link DIR-820LW RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English