Skip to main content

Wavlink NU516U1 CVE-2026-8230

| EUVDEUVD-2026-28978 LOW
OS Command Injection (CWE-78)
2026-05-10 VulDB GHSA-qv2r-5x2x-f9xv
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 10, 2026 - 05:22 NVD
MEDIUM LOW
CVSS changed
May 10, 2026 - 05:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 10, 2026 - 05:15 vuln.today
CVE Published
May 10, 2026 - 04:30 nvd
MEDIUM 6.3

DescriptionCVE.org

A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.

AnalysisAI

OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remote attackers to execute arbitrary system commands with limited impact (confidentiality, integrity, availability). The vulnerability requires valid credentials (PR:L) but can be exploited over the network without user interaction. Publicly available exploit code exists, and the vendor was notified during coordinated disclosure.

Technical ContextAI

The vulnerability exists in the sys_login1 function within the login.cgi CGI script, a common web interface component in network devices. The ipaddr parameter is passed to an OS command execution context without proper input sanitization or escaping, enabling command injection via shell metacharacters. This is a classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command) flaw where user-controlled input reaches shell command execution APIs. The affected device is a wireless router/access point (NU516U1 model), suggesting the vulnerability resides in the device's embedded web management interface.

RemediationAI

The vendor was contacted during coordinated disclosure but no patch version has been publicly released according to available data. Immediate mitigations include: (1) Restrict network access to the device's web management interface (TCP port typically 80/443) using a firewall rule permitting only trusted IP ranges or administrative subnets; (2) Change default credentials (if applied) and enforce strong, unique passwords for device management accounts; (3) Disable remote administration or web management access if not required, using device settings or network segmentation; (4) Monitor for suspicious login attempts and command execution patterns via device logs. Contact Wavlink support to obtain a patched firmware version if available. Until a vendor patch is available, network isolation is the most effective compensating control.

Share

CVE-2026-8230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy