CVE-2026-8190 Vuldb CVE debrief

Who should care

Administrators and owners of Wavlink NU516U1 devices running M16U1_V240425, especially systems exposed to the internet or reachable from untrusted networks. Security teams supporting small-office/home-office routers and edge appliances should also review this issue.

Technical summary

The supplied description ties the issue to the wan function in /cgi-bin/adm.cgi. The parameters ppp_username, ppp_passwd, rwan_ip, rwan_mask, and rwan_gateway are described as being passed in a way that allows OS command injection. The NVD record also lists CWE-77 and CWE-78, consistent with command-injection weakness classes, and notes a public disclosure via the cited references.

Defensive priority

Medium for most environments; elevated for any internet-exposed or broadly reachable Wavlink NU516U1 deployment.

Recommended defensive actions

• Identify any Wavlink NU516U1 devices and confirm whether they run M16U1_V240425.
• Restrict access to administrative and WAN-facing management interfaces to trusted networks only.
• Review the referenced vendor and NVD materials for any fixed firmware or mitigation guidance.
• Monitor affected devices for unexpected configuration changes or signs of command execution.
• If remediation is unavailable, isolate the device behind segmentation or replace it with a supported model.

Evidence notes

The CVE was published and modified on 2026-05-09T18:16:22.293Z. The supplied description states that /cgi-bin/adm.cgi wan handling can be manipulated through ppp_username, ppp_passwd, rwan_ip, rwan_mask, and rwan_gateway to cause OS command injection, and that the exploit has been publicly disclosed. The NVD metadata lists Vuldb-sourced references, a GitHub-hosted writeup, and Vuldb advisory pages, and classifies the weakness with CWE-77 and CWE-78.

Official resources