CVE-2026-2529

MEDIUM

Wavlink WL-WN579A3 <20210219 - Command Injection

Title source: llm

Description

A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Various Sources] https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/DeleteMac.md

View Writeup ZIP pw:eip

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.346117

[Permissions Required, VDB Entry] https://vuldb.com/?id.346117

[Permissions Required, VDB Entry] https://vuldb.com/?submit.748076

Scores

CVSS v3 6.3

EPSS 0.0038

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-74 CWE-77

Status published

Affected Products (1)

wavlink/wl-wn579a3_firmware < 2021-02-19

Timeline

Published Feb 16, 2026

Tracked Since Feb 18, 2026