CVE-2026-4166
Remote XSS in Wavlink WL-NU516U1 /cgi-bin/login.cgi
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1 | 240425 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4166 is a remote Cross-Site Scripting (XSS) vulnerability found in the Wavlink WL-NU516U1 device, version 240425. The vulnerability exists in the function sub_404F68 within the /cgi-bin/login.cgi file. It arises because the device improperly handles user-controllable input parameters, specifically "homepage" and "hostname," which are included in web page output without proper sanitization or filtering.'}, {'type': 'paragraph', 'content': "An attacker can exploit this flaw by sending crafted POST requests to the login.cgi script with malicious payloads embedded in these parameters. This causes the device to reflect and execute arbitrary JavaScript code in the context of the router's web interface, leading to potential script execution on the client side."}, {'type': 'paragraph', 'content': 'The vulnerability is classified as CWE-79 (Cross-Site Scripting) and can be exploited remotely without requiring local access or authentication, although some user interaction is needed to trigger the malicious script.'}] [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows attackers to inject and execute arbitrary JavaScript code within the context of the router's web interface. This can lead to several security impacts including:"}, {'type': 'list_item', 'content': 'Execution of malicious scripts that can hijack user sessions.'}, {'type': 'list_item', 'content': "Theft of credentials or sensitive information entered into the router's web interface."}, {'type': 'list_item', 'content': 'Potential manipulation or disruption of router settings by tricking users into performing unintended actions.'}, {'type': 'list_item', 'content': 'Remote exploitation without requiring physical or local access, increasing the attack surface.'}, {'type': 'paragraph', 'content': 'Overall, this vulnerability compromises data integrity and user trust by enabling attackers to execute arbitrary scripts remotely.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the /cgi-bin/login.cgi endpoint of the Wavlink WL-NU516U1 device, specifically targeting the parameters "homepage" or "hostname" with malicious script payloads to check for reflected cross-site scripting (XSS) in the response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl commands to test the vulnerability by injecting script tags in the "homepage" or "hostname" parameters and observing if the response reflects the injected script without sanitization.'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/login.cgi -d \'newUI=1&page=login&username=admin&homepage=main.shtml"></script><svg/onload=alert()><script>\''}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/login.cgi -d \'newUI=1&page=login&username=admin&hostname=192.168.6.2"><svg/onload=alert()><div\''}, {'type': 'paragraph', 'content': 'If the response contains the injected script tags and triggers script execution (e.g., an alert popup), the device is vulnerable to CVE-2026-4166.'}] [2, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no known published mitigations or countermeasures from the vendor for this vulnerability as of now.'}, {'type': 'paragraph', 'content': 'Immediate steps to mitigate the risk include avoiding the use of the affected Wavlink WL-NU516U1 device or replacing it with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, restricting access to the device's web interface from untrusted networks and monitoring for suspicious POST requests targeting /cgi-bin/login.cgi can help reduce exposure."}, {'type': 'paragraph', 'content': 'Applying network-level protections such as web application firewalls (WAFs) that can detect and block XSS payloads in HTTP requests may also help mitigate exploitation attempts.'}] [1]