CVE-2026-15513
MEDIUM
6.3
CVSS 3.1
Description
A security flaw has been discovered in Wavlink WL-NU516U1 260515. This affects the function wlink_uci_set_value of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument lan_ip results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Metadata
Severity & Metrics
6.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Wavlink | WL-NU516U1 | — | 260515 |
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.5 | N/D | 2.0 | cna | AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C |
| 6.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
| 6.3 | MEDIUM | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
References (6)
- VDB-377842 | Wavlink WL-NU516U1 adm.cgi wlink_uci_set_value os command injection https://vuldb.com/vuln/377842
- VDB-377842 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/377842/cti
- CVE-2026-15513 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-15513
- Submit #847517 | WAVLINK NU516U1 M16U1_V260515 OS Command Injection https://vuldb.com/submit/847517
- https://github.com/0xcc12138/wavlink-nu516u1-csrf-command-injection-
- https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-06-22-5ccde97-mt7628-squashfs-sysupgrade.bin