Search
Find a vulnerability
Search criteria
4 vulnerabilities found for WL-NU516U1-A by Wavlink
CVE-2026-13539 (GCVE-0-2026-13539)
Vulnerability from nvd – Published: 2026-06-29 05:30 – Updated: 2026-06-29 14:52
VLAI
EPSS
VEX
Title
Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow
Summary
A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374547 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374547/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13539 | third-party-advisory |
| https://vuldb.com/submit/834024 | third-party-advisory |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | exploit |
| https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wavlink | WL-NU516U1-A |
Affected:
M16U1_V240425
cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13539",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T14:13:41.239265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T14:52:41.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:*"
],
"modules": [
"POST Parameter Handler"
],
"product": "WL-NU516U1-A",
"vendor": "Wavlink",
"versions": [
{
"status": "affected",
"version": "M16U1_V240425"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "JuneGu (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T05:30:09.451Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374547 | Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374547"
},
{
"name": "VDB-374547 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374547/cti"
},
{
"name": "CVE-2026-13539 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13539"
},
{
"name": "Submit #834024 | Wavlink WL-NU516U1-A M16U1_V240425 Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834024"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-guestwifi-guestssid-buffer-overflow"
},
{
"tags": [
"patch"
],
"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T12:07:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13539",
"datePublished": "2026-06-29T05:30:09.451Z",
"dateReserved": "2026-06-28T10:01:38.197Z",
"dateUpdated": "2026-06-29T14:52:41.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13538 (GCVE-0-2026-13538)
Vulnerability from nvd – Published: 2026-06-29 05:15 – Updated: 2026-06-29 13:48
VLAI
EPSS
VEX
Title
Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection
Summary
A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374546 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374546/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13538 | third-party-advisory |
| https://vuldb.com/submit/834019 | third-party-advisory |
| https://vuldb.com/submit/834021 | third-party-advisory |
| https://vuldb.com/submit/834022 | third-party-advisory |
| https://vuldb.com/submit/834023 | third-party-advisory |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | related |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | exploit |
| https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wavlink | WL-NU516U1-A |
Affected:
M16U1_V240425
cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:47:32.393217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:48:00.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:*"
],
"modules": [
"POST Parameter Handler"
],
"product": "WL-NU516U1-A",
"vendor": "Wavlink",
"versions": [
{
"status": "affected",
"version": "M16U1_V240425"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "HustBinary (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T05:15:13.662Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374546 | Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374546"
},
{
"name": "VDB-374546 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374546/cti"
},
{
"name": "CVE-2026-13538 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13538"
},
{
"name": "Submit #834019 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834019"
},
{
"name": "Submit #834021 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834021"
},
{
"name": "Submit #834022 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834022"
},
{
"name": "Submit #834023 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834023"
},
{
"tags": [
"related"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-multissid-ssid2g2-command-injection"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-multissid-ssid5g2-command-injection"
},
{
"tags": [
"patch"
],
"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T12:06:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13538",
"datePublished": "2026-06-29T05:15:13.662Z",
"dateReserved": "2026-06-28T10:01:35.649Z",
"dateUpdated": "2026-06-29T13:48:00.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13539 (GCVE-0-2026-13539)
Vulnerability from cvelistv5 – Published: 2026-06-29 05:30 – Updated: 2026-06-29 14:52
VLAI
EPSS
VEX
Title
Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow
Summary
A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374547 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374547/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13539 | third-party-advisory |
| https://vuldb.com/submit/834024 | third-party-advisory |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | exploit |
| https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wavlink | WL-NU516U1-A |
Affected:
M16U1_V240425
cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13539",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T14:13:41.239265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T14:52:41.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:*"
],
"modules": [
"POST Parameter Handler"
],
"product": "WL-NU516U1-A",
"vendor": "Wavlink",
"versions": [
{
"status": "affected",
"version": "M16U1_V240425"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "JuneGu (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T05:30:09.451Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374547 | Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374547"
},
{
"name": "VDB-374547 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374547/cti"
},
{
"name": "CVE-2026-13539 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13539"
},
{
"name": "Submit #834024 | Wavlink WL-NU516U1-A M16U1_V240425 Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834024"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-guestwifi-guestssid-buffer-overflow"
},
{
"tags": [
"patch"
],
"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T12:07:03.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13539",
"datePublished": "2026-06-29T05:30:09.451Z",
"dateReserved": "2026-06-28T10:01:38.197Z",
"dateUpdated": "2026-06-29T14:52:41.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13538 (GCVE-0-2026-13538)
Vulnerability from cvelistv5 – Published: 2026-06-29 05:15 – Updated: 2026-06-29 13:48
VLAI
EPSS
VEX
Title
Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection
Summary
A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374546 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374546/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13538 | third-party-advisory |
| https://vuldb.com/submit/834019 | third-party-advisory |
| https://vuldb.com/submit/834021 | third-party-advisory |
| https://vuldb.com/submit/834022 | third-party-advisory |
| https://vuldb.com/submit/834023 | third-party-advisory |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | related |
| https://github.com/Svigo-o/Wavlink_vul/tree/main/… | exploit |
| https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wavlink | WL-NU516U1-A |
Affected:
M16U1_V240425
cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13538",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:47:32.393217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:48:00.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:wavlink:wl-nu516u1-a:*:*:*:*:*:*:*:*"
],
"modules": [
"POST Parameter Handler"
],
"product": "WL-NU516U1-A",
"vendor": "Wavlink",
"versions": [
{
"status": "affected",
"version": "M16U1_V240425"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "HustBinary (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T05:15:13.662Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374546 | Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374546"
},
{
"name": "VDB-374546 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374546/cti"
},
{
"name": "CVE-2026-13538 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13538"
},
{
"name": "Submit #834019 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834019"
},
{
"name": "Submit #834021 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834021"
},
{
"name": "Submit #834022 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834022"
},
{
"name": "Submit #834023 | Wavlink WL-NU516U1-A M16U1_V240425 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/834023"
},
{
"tags": [
"related"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-multissid-ssid2g2-command-injection"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Svigo-o/Wavlink_vul/tree/main/wavlink-wl-nu516u1-wireless-multissid-ssid5g2-command-injection"
},
{
"tags": [
"patch"
],
"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T12:06:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13538",
"datePublished": "2026-06-29T05:15:13.662Z",
"dateReserved": "2026-06-28T10:01:35.649Z",
"dateUpdated": "2026-06-29T13:48:00.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}