Skip to main content

Wavlink NU516U1 CVE-2026-8228

| EUVDEUVD-2026-28976 LOW
OS Command Injection (CWE-78)
2026-05-10 VulDB GHSA-4vgm-cq4r-3fhg
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 10, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
May 10, 2026 - 05:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 10, 2026 - 05:15 vuln.today
CVE Published
May 10, 2026 - 04:00 nvd
MEDIUM 6.3

DescriptionCVE.org

A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.

AnalysisAI

OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to execute arbitrary system commands via manipulation of the wlan_conf/Channel/skiplist/ieee_80211h parameter in /cgi-bin/wireless.cgi. Publicly available exploit code exists, and the vendor was notified early of disclosure. CVSS 6.3 reflects the moderate impact of command execution under authenticated conditions.

Technical ContextAI

The vulnerability exists in the advance function of the wireless.cgi CGI script, which processes wireless configuration parameters without proper input sanitization. The affected parameter wlan_conf/Channel/skiplist/ieee_80211h is passed unsanitized to an OS command execution context, enabling shell command injection via special characters or command separators (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The CPE cpe:2.3:a:wavlink:nu516u1:*:*:*:*:*:*:*:* indicates all versions of the NU516U1 product are affected. This is a typical HTTP-based web application vulnerability in embedded network device management interfaces.

RemediationAI

Apply firmware patch from Wavlink if available for NU516U1; contact Wavlink support for patched firmware version details, as the vendor was early-notified of this disclosure and may have a security update ready. If no patch is immediately available, implement network-level mitigations: restrict access to the /cgi-bin/wireless.cgi endpoint to trusted administrative networks using firewall rules or VPN-only access; disable remote HTTP/HTTPS access to the device management interface if not required for operations; enforce strong, unique credentials for all device management accounts and rotate them immediately if any compromise is suspected; use a Web Application Firewall (WAF) to filter requests containing command injection payloads (e.g., semicolons, backticks, pipes, command substitution syntax in the wlan_conf parameter). Trade-off: WAF rules may generate false positives if legitimate wireless configurations use special characters; coordinate with network operations before deployment. Disable the advance wireless configuration function entirely if not in active use.

Share

CVE-2026-8228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy