{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4163", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-14T08:28:57.337Z", "datePublished": "2026-03-14T22:32:10.502Z", "dateUpdated": "2026-03-17T14:11:25.056Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-14T22:32:10.502Z"}, "title": "Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "Wavlink", "product": "WL-WN579A3", "versions": [{"version": "220323", "status": "affected"}], "cpes": ["cpe:2.3:o:wavlink:wl-wn579a3_firmware:*:*:*:*:*:*:*:*"], "modules": ["POST Request Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "CRITICAL"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "baseSeverity": "CRITICAL"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "baseSeverity": "CRITICAL"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-14T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-14T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-14T09:34:23.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "LtzHuster (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.351070", "name": "VDB-351070 | Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351070", "name": "VDB-351070 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.765327", "name": "Submit #765327 | Wavlink WL-WN579A3 V220323 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.765328", "name": "Submit #765328 | Wavlink WL-WN579A3 V220323 Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md", "tags": ["related"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md", "tags": ["exploit"]}, {"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin", "tags": ["patch"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T14:10:41.152684Z", "id": "CVE-2026-4163", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T14:11:25.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4163", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T14:10:41.152684Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T14:11:20.346Z"}}], "cna": {"title": "Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection", "credits": [{"lang": "en", "type": "reporter", "value": "LtzHuster (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:o:wavlink:wl-wn579a3_firmware:*:*:*:*:*:*:*:*"], "vendor": "Wavlink", "modules": ["POST Request Handler"], "product": "WL-WN579A3", "versions": [{"status": "affected", "version": "220323"}]}], "timeline": [{"lang": "en", "time": "2026-03-14T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-14T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-14T09:34:23.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.351070", "name": "VDB-351070 | Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.351070", "name": "VDB-351070 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.765327", "name": "Submit #765327 | Wavlink WL-WN579A3 V220323 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.765328", "name": "Submit #765328 | Wavlink WL-WN579A3 V220323 Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md", "tags": ["related"]}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md", "tags": ["exploit"]}, {"url": "https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-14T22:32:10.502Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4163", "state": "PUBLISHED", "dateUpdated": "2026-03-17T14:11:25.056Z", "dateReserved": "2026-03-14T08:28:57.337Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-14T22:32:10.502Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended."}, {"lang": "es", "value": "Se detect\u00f3 una vulnerabilidad en Wavlink WL-WN579A3 220323. Este problema afecta la funci\u00f3n SetName/GuestWifi del archivo /cgi-bin/wireless.cgi del componente Gestor de Solicitudes POST. Realizar una manipulaci\u00f3n resulta en inyecci\u00f3n de comandos. Es posible iniciar el ataque de forma remota. El exploit ahora es p\u00fablico y puede ser utilizado. Se recomienda actualizar el componente afectado."}], "id": "CVE-2026-4163", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:55.143", "references": [{"source": "cna@vuldb.com", "url": "https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin"}, {"source": "cna@vuldb.com", "url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md"}, {"source": "cna@vuldb.com", "url": "https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.351070"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.351070"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.765327"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.765328"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "220323"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WL-WN579A3", "source": "cna", "vendor": "Wavlink"}, "product": "wl-wn579a3", "vendor": "wavlink"}], "analysis": {"en": {"generated_at": "2026-03-17T16:52:45.688947+00:00", "value": {"mitigation_remediation": ["Apply the official firmware upgrade that removes the vulnerable wireless.cgi implementation."], "summary": {"action": "Patch Immediately", "impact": "Remote Command Execution via POST Request"}, "threat_synthesis": {"affected_systems": "Affected product: Wavlink WL-WN579A3 firmware version 220323 (or any firmware incorporating the original SetName/GuestWifi implementation). Users of this model are directly impacted by the command injection flaw exposed through the POST Request Handler in wireless.cgi.", "description_and_impact": "The vulnerability exists in the SetName/GuestWifi function within /cgi-bin/wireless.cgi of the Wavlink WL-WN579A3 firmware. An attacker can craft specially formed POST requests that are not properly sanitized, resulting in OS command injection (CWE-74 and CWE-77). Successful exploitation allows execution of arbitrary shell commands on the device, leading to full compromise of confidentiality, integrity, and availability of the wireless router and any networks it supports.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.3, indicating critical severity, and an EPSS score of less than 1%, suggesting that while exploitation is technically possible, it may not be widespread yet. The vulnerability is not listed in CISA\u2019s KEV catalog, but the public exploit code available in GitHub repositories indicates active interest. Attackers can remotely trigger the flaw by sending a crafted POST request over the network, bypassing authentication or other controls that may exist. Remediation through firmware upgrade eliminates the attack surface."}}}}, "created": "2026-03-16T09:22:16.666095+00:00", "updated": "2026-03-23T13:39:02.960012+00:00", "vendors": ["wavlink", "wavlink$PRODUCT$wl-wn579a3"]}