CVE-2026-4543

MEDIUM

Wavlink WL-WN578W2 POST Request firewall.cgi command injection

Title source: cna

Description

A vulnerability was found in Wavlink WL-WN578W2 221110. The impacted element is an unknown function of the file /cgi-bin/firewall.cgi of the component POST Request Handler. Performing a manipulation of the argument dmz_flag/del_flag results in command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/?id.352360

[Signature, Permissions Required] https://vuldb.com/?ctiid.352360

[Third Party Advisory] https://vuldb.com/?submit.774690

[Third Party Advisory] https://vuldb.com/?submit.774691

[Related] https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_4/README.md

[Exploit] https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_5/README.md

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0037

EPSS Percentile 58.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-74 CWE-77

Status published

Products (1)

Wavlink/WL-WN578W2 221110

Published Mar 22, 2026

Tracked Since Mar 22, 2026