# CVE-2026-36956: Cross-Site Request Forgery (CSRF) Vulnerability in Web Management Interface ## Vulnerability Overview * **CVE ID**: CVE-2026-36956 * **CVSS Score**: 8.8 (High) * **Affected Product**: Shenzhen Dibit Network Equipment Co., Ltd. (Dibit Network) Dbit Router Firmware * **Affected Version**: V1.0.0 * **Vulnerability Description**: Firmware version V1.0.0 does not implement CSRF protection mechanisms (such as anti-CSRF tokens or strict Origin/Referer validation). An attacker can craft a malicious webpage to lure an authenticated administrator into visiting it, thereby sending forged HTTP requests to modify router configurations. ## Impact Scope * **Attack Vector**: Network * **Attack Complexity**: Low * **Privileges Required**: None * **User Interaction**: Required * **Impact**: * Confidentiality: High * Integrity: High * Availability: High * **Affected Endpoints**: * `/api/setWlan`: Wireless network configuration (SSID, password) * `/api/setWan`: WAN configuration * `/api/setSystem`: System configuration * **Specific Harm**: * Unauthorized modification of WiFi SSID and password * WAN/DNS configuration changes * Denial of service for legitimate users * Complete takeover of router configuration ## Remediation * Implement anti-CSRF tokens on all state-changing endpoints. * Enforce strict Origin and Referer header validation. * Use the `SameSite=Strict` attribute for session cookies. ## Proof-of-Concept Code (POC) ```html fetch('http://192.168.10.1/api/setWlan', { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ ssid: "Hacked_Network", password: "Attacker123" }) }); ```