CVE-2026-8191
Undergoing Analysis Undergoing Analysis - In Progress
OS Command Injection in Wavlink NU516U1 Router

Publication date: 2026-05-09

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This affects the function wifi_region of the file /cgi-bin/adm.cgi. Such manipulation of the argument skiplist1/skiplist2 leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8191
EUVD
EUVD-2026-28919
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink nu516u1 v240425
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-8191 is a Remote Command Execution (RCE) vulnerability found in the wifi_region interface of Wavlink NU516U1 devices. The vulnerability occurs because the parameters skiplist1 and skiplist2 are passed directly to the system without proper sanitization, allowing an attacker to inject malicious operating system commands.

An attacker can exploit this by sending a crafted POST request to the /cgi-bin/adm.cgi endpoint with specific parameters, including a malicious skiplist1 value. For example, the attacker can execute commands like starting a telnet server on the device, thereby gaining remote shell access.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected device remotely without user interaction. Successful exploitation can lead to full remote shell access, enabling the attacker to control the device, manipulate its settings, intercept or redirect network traffic, or use the device as a foothold for further attacks within the network.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/adm.cgi with the parameter page=wifi_region and unusual values in the skiplist1 or skiplist2 parameters.

A specific indicator of compromise is the presence of commands like 'telnetd -l /bin/sh -p 8891' in the skiplist1 parameter, which is used in the known exploit.

You can use network monitoring tools or web server logs to search for such POST requests.

  • Use grep or similar tools on web server logs to find suspicious requests: grep 'POST /cgi-bin/adm.cgi' /var/log/httpd/access_log | grep 'page=wifi_region'
  • Look for suspicious parameter values in captured traffic or logs: grep -E 'skiplist1=.*telnetd' /var/log/httpd/access_log
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /cgi-bin/adm.cgi endpoint, especially the wifi_region function.

Implement input validation or filtering to prevent command injection via the skiplist1 and skiplist2 parameters.

If possible, update the device firmware to a version where this vulnerability is patched.

As a temporary measure, monitor and block suspicious POST requests targeting /cgi-bin/adm.cgi with malicious parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8191. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart