CVE-2026-3661

MEDIUM

Wavlink WL-NU516U1 240425 - Command Injection

Title source: llm

Description

A flaw has been found in Wavlink WL-NU516U1 240425. This affects the function ota_new_upgrade of the file /cgi-bin/adm.cgi. This manipulation of the argument model causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.

References (4)

[Third Party Advisory] https://github.com/jinhao118/cve/blob/main/WAVLINK_1.md

View Writeup ZIP pw:eip

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.349550

[Permissions Required, VDB Entry] https://vuldb.com/?id.349550

[Permissions Required, VDB Entry] https://vuldb.com/?submit.758227

Scores

CVSS v3 4.7

EPSS 0.0023

EPSS Percentile 46.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-77

Status published

Products (1)

wavlink/wl-nu516u1_firmware m16u1_v240425

Published Mar 07, 2026

Tracked Since Mar 07, 2026