CVE-2026-4163 - Vulnerability Details

- Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection

Description

A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended.

Published: 2026-03-14

Score: 9.3 Critical

EPSS: 2.1% Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is located in the SetName/GuestWifi function of /cgi-bin/wireless.cgi in the Wavlink WL‑WN579A3 firmware 220323. A crafted POST request that is not properly sanitized allows an attacker to inject arbitrary OS commands, leading to remote command execution. This flaw is classified as CWE‑74 and CWE‑77.

Affected Systems

Affected product: Wavlink WL‑WN579A3 firmware 220323. Users of this router model running that firmware are vulnerable.

Risk and Exploitability

The flaw has a CVSS score of 9.3, marking it critical severity. The EPSS score of 2% indicates a non‑negligible likelihood of exploitation. The vulnerability is not listed in CISA KEV, but public exploit code has been posted. Attackers can trigger the flaw remotely by sending a crafted POST request to the wireless.cgi endpoint, bypassing normal operation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Wavlink

WL-WN579A3

affected

Version	Status	Constraints
`220323`	affected	—

No data.

Vendor Product Confidence Versions

Wavlink

Wl-wn579a3

100%

Version	Status	Scheme	Platform
`220323`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official firmware upgrade released by Wavlink that removes the vulnerable wireless.cgi implementation.
If an immediate upgrade is not possible, temporarily disable the GuestWifi feature through the router’s configuration interface to eliminate the vulnerable endpoint.
Restrict administrative access to the router’s web interface, allowing the POST endpoint only from trusted internal IPs or via VPN.

Generated by OpenCVE AI on June 18, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.02103.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin
https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md
https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md
https://vuldb.com/?ctiid.351070
https://vuldb.com/?id.351070
https://vuldb.com/?submit.765327
https://vuldb.com/?submit.765328

History

Tue, 17 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wavlink wl-wn579a3
Vendors & Products		Wavlink wl-wn579a3

Sat, 14 Mar 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended.
Title		Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection
First Time appeared		Wavlink Wavlink wl-wn579a3 Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:wavlink:wl-wn579a3_firmware::::::::
Vendors & Products		Wavlink Wavlink wl-wn579a3 Firmware
References		https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md https://vuldb.com/?ctiid.351070 https://vuldb.com/?id.351070 https://vuldb.com/?submit.765327 https://vuldb.com/?submit.765328
Metrics		cvssV2_0 `{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Wavlink Wl-wn579a3 Wl-wn579a3 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-14T22:32:10.502Z

Updated: 2026-03-17T14:11:25.056Z

Reserved: 2026-03-14T08:28:57.337Z

Link: CVE-2026-4163

Vulnrichment

Updated: 2026-03-17T14:11:20.346Z

NVD

Status : Deferred

Published: 2026-03-16T14:19:55.143

Modified: 2026-06-17T10:56:05.520

Link: CVE-2026-4163

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object