Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.
Technical ContextAI
The vulnerability exists in a stored XSS weakness (CWE-79) within the login interface of the Wavlink WL-WN579A3 dual-band wireless router. The router's CGI script /cgi-bin/login.cgi fails to properly sanitize or encode the Hostname parameter before rendering it in HTML responses. When a remote attacker submits a crafted Hostname value containing JavaScript payloads, the input is stored in the device configuration and reflected back to users (likely administrators) accessing the login page. The affected firmware uses version numbering scheme 220323 through 2026-03-10, indicating builds from March 2022 through March 2026. The router's embedded web interface, typically accessed on port 80 or 443, serves as the attack surface.
RemediationAI
Apply the vendor-released firmware patch immediately: upgrade to firmware version WINSTAR_WN579A3-A-2026-03-10 or later, available from https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin. This patch directly addresses the Hostname parameter sanitization in /cgi-bin/login.cgi. If immediate patching is not feasible, implement the following compensating controls: disable remote web management access by restricting the router's web interface to local LAN-only connections (disable WAN access to ports 80/443); change the default router administrator password to a strong, unique credential to mitigate the impact of any injected credential-theft scripts; block the router's web management port at the network perimeter firewall, permitting admin access only from trusted management VLANs; and periodically review the router's hostname configuration in the web interface settings to detect suspicious changes that may indicate an attempted payload injection. Each control has trade-offs: restricting WAN access may prevent legitimate remote management scenarios; firewall blocking requires manual exceptions for authorized administrators.
More in Wl Wn579a3
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23682
GHSA-x8cm-r99c-gv26