CVE-2026-8191

Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 version M16U1 V240425

Description Remote OS command injection is possible via the 'wifi region' function within the '/cgi-bin/adm.cgi' endpoint. This occurs through the manipulation of the skiplist1 and skiplist2 arguments, allowing an attacker to execute arbitrary operating system commands remotely.

Recommendations As a temporary workaround, restrict access to the '/cgi-bin/adm.cgi' endpoint or avoid using the skiplist1 and skiplist2 arguments within the 'wifi region' function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.