CVE-2026-1744 is a medium-severity cross-site scripting vulnerability affecting the D-Link DSL-6641K router running firmware version N8.TR069.20131126. The vulnerability exists in the JavaScript function doSubmitPPP within the sp_pppoe_user.js file, where the Username parameter is improperly sanitized. This flaw allows an attacker to inject malicious scripts remotely by manipulating the Username argument, potentially leading to script execution in the context of the router's web interface. The attack vector is remote and does not require authentication, but user interaction is necessary, such as convincing a user to visit a maliciously crafted URL or submit manipulated input. The vulnerability does not impact confidentiality or availability directly but can be leveraged for session hijacking, phishing, or further attacks against the router's management interface. The affected product is no longer supported by D-Link, and no official patches or updates are available. Although the exploit code has been publicly disclosed, no confirmed active exploitation in the wild has been reported. The CVSS 4.8 score reflects the medium risk due to ease of exploitation combined with limited impact and user interaction requirements. This vulnerability primarily threatens environments where the DSL-6641K device is still in use, especially if remote management interfaces are exposed to untrusted networks.

The primary impact of CVE-2026-1744 is the potential for attackers to execute arbitrary scripts within the router's web management interface, which can lead to session hijacking, unauthorized configuration changes, or phishing attacks targeting administrators. While it does not directly compromise device confidentiality or availability, successful exploitation can undermine the integrity of router management and potentially facilitate further attacks on the network. Organizations using the affected D-Link DSL-6641K routers, particularly in environments where remote management is enabled or where users can be socially engineered to interact with malicious content, face increased risk. Since the product is no longer supported, the lack of patches increases the likelihood of prolonged exposure. This can be especially problematic in small to medium enterprises or residential setups relying on this hardware, potentially leading to network compromise or persistent attacker footholds.

Given the absence of official patches, organizations should implement compensating controls to mitigate risk. First, disable remote management interfaces on the DSL-6641K router to prevent external access to the vulnerable web interface. Second, segment the network to isolate the router management interface from untrusted networks, limiting exposure to potential attackers. Third, educate users and administrators about the risks of interacting with suspicious links or inputs that could trigger the XSS vulnerability. Fourth, consider replacing the affected hardware with supported devices that receive regular security updates. Additionally, monitor network traffic for unusual activity around the router management interface and employ web application firewalls or intrusion detection systems to detect and block exploitation attempts. Where possible, restrict access to the router’s web interface to trusted IP addresses only.