CVE-2026-4166
Awaiting Analysis Awaiting Analysis - Queue
Remote XSS in Wavlink WL-NU516U1 /cgi-bin/login.cgi

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4166
EUVD
EUVD-2026-12208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-nu516u1 240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4166 is a remote Cross-Site Scripting (XSS) vulnerability found in the Wavlink WL-NU516U1 device, version 240425. The vulnerability exists in the function sub_404F68 within the /cgi-bin/login.cgi file. It arises because the device improperly handles user-controllable input parameters, specifically "homepage" and "hostname," which are included in web page output without proper sanitization or filtering.'}, {'type': 'paragraph', 'content': "An attacker can exploit this flaw by sending crafted POST requests to the login.cgi script with malicious payloads embedded in these parameters. This causes the device to reflect and execute arbitrary JavaScript code in the context of the router's web interface, leading to potential script execution on the client side."}, {'type': 'paragraph', 'content': 'The vulnerability is classified as CWE-79 (Cross-Site Scripting) and can be exploited remotely without requiring local access or authentication, although some user interaction is needed to trigger the malicious script.'}] [1, 2, 3, 4, 5]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows attackers to inject and execute arbitrary JavaScript code within the context of the router's web interface. This can lead to several security impacts including:"}, {'type': 'list_item', 'content': 'Execution of malicious scripts that can hijack user sessions.'}, {'type': 'list_item', 'content': "Theft of credentials or sensitive information entered into the router's web interface."}, {'type': 'list_item', 'content': 'Potential manipulation or disruption of router settings by tricking users into performing unintended actions.'}, {'type': 'list_item', 'content': 'Remote exploitation without requiring physical or local access, increasing the attack surface.'}, {'type': 'paragraph', 'content': 'Overall, this vulnerability compromises data integrity and user trust by enabling attackers to execute arbitrary scripts remotely.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the /cgi-bin/login.cgi endpoint of the Wavlink WL-NU516U1 device, specifically targeting the parameters "homepage" or "hostname" with malicious script payloads to check for reflected cross-site scripting (XSS) in the response.'}, {'type': 'paragraph', 'content': 'For example, you can use curl commands to test the vulnerability by injecting script tags in the "homepage" or "hostname" parameters and observing if the response reflects the injected script without sanitization.'}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/login.cgi -d \'newUI=1&page=login&username=admin&homepage=main.shtml"></script><svg/onload=alert()><script>\''}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/cgi-bin/login.cgi -d \'newUI=1&page=login&username=admin&hostname=192.168.6.2"><svg/onload=alert()><div\''}, {'type': 'paragraph', 'content': 'If the response contains the injected script tags and triggers script execution (e.g., an alert popup), the device is vulnerable to CVE-2026-4166.'}] [2, 3, 5]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no known published mitigations or countermeasures from the vendor for this vulnerability as of now.'}, {'type': 'paragraph', 'content': 'Immediate steps to mitigate the risk include avoiding the use of the affected Wavlink WL-NU516U1 device or replacing it with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, restricting access to the device's web interface from untrusted networks and monitoring for suspicious POST requests targeting /cgi-bin/login.cgi can help reduce exposure."}, {'type': 'paragraph', 'content': 'Applying network-level protections such as web application firewalls (WAFs) that can detect and block XSS payloads in HTTP requests may also help mitigate exploitation attempts.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart