CVE-2026-3716
Received Received - Intake
Remote XSS in Wavlink WL-WN579X3-C adm.cgi Hostname Parameter

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. Executing a manipulation of the argument Hostname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 20260226 is able to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3716
EUVD
EUVD-2026-10222
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-wn579x3-c_firmware 231124
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3716 is a Cross-Site Scripting (XSS) vulnerability found in the Wavlink WL-WN579X3-C router, version 231124. It exists in the function sub_401AD4 within the /cgi-bin/adm.cgi file, specifically related to improper handling of the "Hostname" argument.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the router\'s web interface processes the "hostname" parameter without proper sanitization, allowing an attacker to inject malicious JavaScript code. This malicious script can then be executed in the context of the router\'s web interface.'}, {'type': 'paragraph', 'content': "An attacker can exploit this remotely by sending a specially crafted request with a malicious hostname value, which gets reflected back in the router's response, triggering the script execution."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows remote attackers to execute arbitrary JavaScript code within the context of the router's web interface."}, {'type': 'list_item', 'content': "It can lead to session hijacking, where an attacker steals or manipulates the victim's session."}, {'type': 'list_item', 'content': 'It may enable attackers to perform malicious actions on behalf of the authenticated user.'}, {'type': 'list_item', 'content': 'The integrity of the system can be compromised due to script injection.'}, {'type': 'paragraph', 'content': 'Although exploitation requires some user interaction and authentication, the attack is considered easy and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /cgi-bin/adm.cgi endpoint of the Wavlink WL-WN579X3-C router for improper handling of the "hostname" parameter. Specifically, sending crafted requests with malicious script payloads in the hostname argument and observing if the response reflects the injected script without sanitization indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a POST request to /cgi-bin/adm.cgi with the hostname parameter set to a payload such as: 192.168.6.4"</script><svg/onload=alert()><script>" and check if the response includes the injected script.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router-ip]/cgi-bin/adm.cgi -d \'page=sysinit&hostname=192.168.6.4"</script><svg/onload=alert()><script>"\''}, {'type': 'paragraph', 'content': 'If the response contains the injected script code executed or reflected, the system is vulnerable.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to upgrade the Wavlink WL-WN579X3-C router firmware to version 20260226, which contains the fix for this vulnerability.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the router's administrative interface to trusted networks and users only, to reduce the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for suspicious requests targeting /cgi-bin/adm.cgi with unusual hostname parameters.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3716. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart