CVE-2026-2526 - Vulnerability Details

- Wavlink WL-WN579A3 wireless.cgi multi_ssid command injection

Description

A vulnerability was found in Wavlink WL-WN579A3 up to 20210219. This impacts the function multi_ssid of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument SSID2G2 results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-02-16

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the multi_ssid function of the /cgi-bin/wireless.cgi script on Wavlink WL‑WN579A3 routers. By manipulating the SSID2G2 argument an attacker can inject arbitrary shell commands, resulting in remote command execution. This flaw is a classic instance of command injection (CWE‑74) combined with improper command sanitization (CWE‑77). Successful exploitation would allow an attacker to compromise the confidentiality, integrity, and availability of the device and potentially the network it serves.

Affected Systems

Wavlink WL‑WN579A3 routers with firmware versions up to and including 20210219 are affected. The issue is triggered through the web management interface exposed at /cgi-bin/wireless.cgi and only requires remote HTTP access to the device.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS is reported as less than 1 %, implying a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The public exploit provides a ready‑to‑use attack chain, allowing any remote actor to send an HTTP request with a crafted SSID2G2 value to achieve command injection without additional prerequisites.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Wavlink

WL-WN579A3

affected

Version	Status	Constraints
`20210219`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:wavlink:wl-wn579a3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:wavlink:wl-wn579a3:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wavlink

Wl-wn579a3

—

Version	Status	Scheme	Platform
`20210219`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the firmware to a version newer than 20210219 that resolves the command injection flaw.
Disable remote access to the router’s web interface or limit it to trusted IP addresses to reduce the attack surface.
If possible, disable the multi_ssid functionality or the SSID2G2 parameter by configuring the router to use a single SSID or by removing unnecessary Wi‑Fi interfaces.

Generated by OpenCVE AI on April 18, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00377.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/multi_ssid.md
https://vuldb.com/?ctiid.346114
https://vuldb.com/?id.346114
https://vuldb.com/?submit.748073

History

Wed, 18 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wavlink wl-wn579a3 Firmware
CPEs		cpe:2.3:h:wavlink:wl-wn579a3:-:::::::* cpe:2.3:o:wavlink:wl-wn579a3_firmware::::::::
Vendors & Products		Wavlink wl-wn579a3 Firmware

Tue, 17 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wavlink Wavlink wl-wn579a3
Vendors & Products		Wavlink Wavlink wl-wn579a3

Mon, 16 Feb 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Wavlink WL-WN579A3 up to 20210219. This impacts the function multi_ssid of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument SSID2G2 results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Wavlink WL-WN579A3 wireless.cgi multi_ssid command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/multi_ssid.md https://vuldb.com/?ctiid.346114 https://vuldb.com/?id.346114 https://vuldb.com/?submit.748073
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Wavlink Wl-wn579a3 Wl-wn579a3 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-16T01:02:08.386Z

Updated: 2026-02-23T10:03:35.983Z

Reserved: 2026-02-15T09:01:23.275Z

Link: CVE-2026-2526

Vulnrichment

Updated: 2026-02-17T17:16:42.622Z

NVD

Status : Analyzed

Published: 2026-02-16T02:16:06.423

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2526

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object