OS Command Injection Vulnerability in Wavlink WL-NU516U1
CVE-2026-15513
Key Information:
- Vendor
Wavlink
- Status
- Vendor
- CVE Published:
- 12 July 2026
Badges
What is CVE-2026-15513?
A security flaw has been identified in the Wavlink WL-NU516U1, which is caused by an OS command injection vulnerability in the wlink_uci_set_value function of the /cgi-bin/adm.cgi file. By manipulating the 'lan_ip' argument, an attacker can execute arbitrary commands on the device remotely. This vulnerability is particularly concerning as it can be exploited over the internet, potentially compromising the device's integrity. The vendor has responded proactively, providing a patch to address this issue swiftly. Users are strongly advised to upgrade to the fixed version to safeguard their systems.
Affected Version(s)
WL-NU516U1 260515
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
