CVE-2026-3716
Remote XSS in Wavlink WL-WN579X3-C adm.cgi Hostname Parameter
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-wn579x3-c_firmware | 231124 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3716 is a Cross-Site Scripting (XSS) vulnerability found in the Wavlink WL-WN579X3-C router, version 231124. It exists in the function sub_401AD4 within the /cgi-bin/adm.cgi file, specifically related to improper handling of the "Hostname" argument.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the router\'s web interface processes the "hostname" parameter without proper sanitization, allowing an attacker to inject malicious JavaScript code. This malicious script can then be executed in the context of the router\'s web interface.'}, {'type': 'paragraph', 'content': "An attacker can exploit this remotely by sending a specially crafted request with a malicious hostname value, which gets reflected back in the router's response, triggering the script execution."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows remote attackers to execute arbitrary JavaScript code within the context of the router's web interface."}, {'type': 'list_item', 'content': "It can lead to session hijacking, where an attacker steals or manipulates the victim's session."}, {'type': 'list_item', 'content': 'It may enable attackers to perform malicious actions on behalf of the authenticated user.'}, {'type': 'list_item', 'content': 'The integrity of the system can be compromised due to script injection.'}, {'type': 'paragraph', 'content': 'Although exploitation requires some user interaction and authentication, the attack is considered easy and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the /cgi-bin/adm.cgi endpoint of the Wavlink WL-WN579X3-C router for improper handling of the "hostname" parameter. Specifically, sending crafted requests with malicious script payloads in the hostname argument and observing if the response reflects the injected script without sanitization indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a POST request to /cgi-bin/adm.cgi with the hostname parameter set to a payload such as: 192.168.6.4"</script><svg/onload=alert()><script>" and check if the response includes the injected script.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router-ip]/cgi-bin/adm.cgi -d \'page=sysinit&hostname=192.168.6.4"</script><svg/onload=alert()><script>"\''}, {'type': 'paragraph', 'content': 'If the response contains the injected script code executed or reflected, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation step is to upgrade the Wavlink WL-WN579X3-C router firmware to version 20260226, which contains the fix for this vulnerability.'}, {'type': 'paragraph', 'content': "Until the upgrade can be applied, restrict access to the router's administrative interface to trusted networks and users only, to reduce the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'Additionally, monitor network traffic for suspicious requests targeting /cgi-bin/adm.cgi with unusual hostname parameters.'}] [2]