Skip to main content

Wl Wn579a3 CVE-2026-6559

| EUVDEUVD-2026-23682 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-19 VulDB GHSA-x8cm-r99c-gv26
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
CVSS changed
Apr 19, 2026 - 06:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
Apr 19, 2026 - 05:47 vuln.today
EUVD ID Assigned
Apr 19, 2026 - 05:45 euvd
EUVD-2026-23682
Analysis Generated
Apr 19, 2026 - 05:45 vuln.today
Patch released
Apr 19, 2026 - 05:45 nvd
Patch available
CVE Published
Apr 19, 2026 - 05:15 nvd
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.

Technical ContextAI

The vulnerability exists in a stored XSS weakness (CWE-79) within the login interface of the Wavlink WL-WN579A3 dual-band wireless router. The router's CGI script /cgi-bin/login.cgi fails to properly sanitize or encode the Hostname parameter before rendering it in HTML responses. When a remote attacker submits a crafted Hostname value containing JavaScript payloads, the input is stored in the device configuration and reflected back to users (likely administrators) accessing the login page. The affected firmware uses version numbering scheme 220323 through 2026-03-10, indicating builds from March 2022 through March 2026. The router's embedded web interface, typically accessed on port 80 or 443, serves as the attack surface.

RemediationAI

Apply the vendor-released firmware patch immediately: upgrade to firmware version WINSTAR_WN579A3-A-2026-03-10 or later, available from https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin. This patch directly addresses the Hostname parameter sanitization in /cgi-bin/login.cgi. If immediate patching is not feasible, implement the following compensating controls: disable remote web management access by restricting the router's web interface to local LAN-only connections (disable WAN access to ports 80/443); change the default router administrator password to a strong, unique credential to mitigate the impact of any injected credential-theft scripts; block the router's web management port at the network perimeter firewall, permitting admin access only from trusted management VLANs; and periodically review the router's hostname configuration in the web interface settings to detect suspicious changes that may indicate an attempted payload injection. Each control has trade-offs: restricting WAN access may prevent legitimate remote management scenarios; firewall blocking requires manual exceptions for authorized administrators.

Share

CVE-2026-6559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy