CVE-2026-8190

Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 version M16U1 V240425

Description An OS command injection flaw exists in the wan() function within the '/cgi-bin/adm.cgi' endpoint. A remote attacker can exploit this by manipulating the ppp username, ppp passwd, rwan ip, rwan mask, and rwan gateway arguments, which are passed directly to the system without proper validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.