CVE-2026-3662

MEDIUM

Wavlink WL-NU516U1 240425 - Command Injection

Title source: llm

Description

A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb_p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr_mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure.

References (4)

[Third Party Advisory] https://github.com/jinhao118/cve/blob/main/WAVLINK_2.md

View Writeup ZIP pw:eip

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.349551

[Permissions Required, VDB Entry] https://vuldb.com/?id.349551

[Permissions Required, VDB Entry] https://vuldb.com/?submit.758228

Scores

CVSS v3 4.7

EPSS 0.0023

EPSS Percentile 46.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-77

Status published

Products (1)

wavlink/wl-nu516u1_firmware m16u1_v240425

Published Mar 07, 2026

Tracked Since Mar 07, 2026