PatchSiren

Wavlink CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Wavlink CVE published 2026-06-29

CVE-2026-13539

CVE-2026-13539 is a stack-based buffer overflow vulnerability in the Wavlink WL-NU516U1-A M16U1_V240425 device. The issue is located in the /cgi-bin/wireless.cgi file, specifically in the sub_407504 function, which handles the Guest_ssid argument in a POST request. This vulnerability allows for remote exploitation and a publicly available exploit exists. The vendor, Wavlink, was contacted and responded pr [truncated]

LOW Wavlink CVE published 2026-06-29

CVE-2026-13538

CVE-2026-13538 is a command injection vulnerability in the Wavlink WL-NU516U1-A M16U1_V240425 device. The vulnerability exists in the sub_401D68 function of the /cgi-bin/wireless.cgi file, specifically in the POST parameter handler. An attacker can exploit this vulnerability by manipulating the SSID2G2, SSID5G2, AuthMethod2, and WPAPSK12 arguments, allowing for remote command injection. The exploit has be [truncated]

LOW Wavlink CVE published 2026-05-10

CVE-2026-8230

CVE-2026-8230 is a remotely reachable command-injection issue reported in Wavlink NU516U1 240425. The vulnerable path is the sys_login1 function in /cgi-bin/login.cgi, where manipulation of the ipaddr argument can lead to OS command injection. Although the CVSS score is low, the source description says an exploit has been published, which increases practical concern for exposed devices. The vendor was con [truncated]

LOW Wavlink CVE published 2026-05-10

CVE-2026-8229

CVE-2026-8229 is a remote OS command-injection issue reported in Wavlink NU516U1 240425. The vulnerable path is /cgi-bin/wireless.cgi, specifically the WifiBasic function, where manipulation of AuthMethod or EncrypType can lead to command execution. The supplied description also states that a public exploit exists, so exposed devices should be treated as urgently reviewable even though the listed CVSS score is low.

LOW Wavlink CVE published 2026-05-09

CVE-2026-8192

CVE-2026-8192 is a reported command-injection flaw in Wavlink NU516U1 M16U1_V240425, affecting the wzdap function in /cgi-bin/adm.cgi. The supplied disclosure says attacker-controlled EncrypType/wl_Pass input can lead to OS command injection, that the attack may be initiated remotely, and that a public exploit has been released. Even though the published severity is low, exposed devices should be reviewed [truncated]

LOW Wavlink CVE published 2026-05-09

CVE-2026-8191

CVE-2026-8191 describes a remote OS command injection issue in Wavlink NU516U1 M16U1_V240425. The vulnerable path is /cgi-bin/adm.cgi, where manipulation of the skiplist1/skiplist2 arguments in the wifi_region function can lead to command execution. Although the published CVSS score is low, the issue matters because it is network-reachable, there is public reporting of an exploit, and the vendor was repor [truncated]