PT-2026-39453 · Wavlink · Nu516U1

Ziyue Xie

·

Published

2026-05-10

·

Updated

2026-05-10

·

CVE-2026-8227

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Wavlink NU516U1 version 240425
Description A weakness in the wzdapMesh() function within the '/cgi-bin/adm.cgi' endpoint allows for remote OS command injection. This occurs when the system fails to properly sanitize input, enabling an attacker to execute arbitrary operating system commands on the device.
Recommendations As a temporary workaround, restrict access to the '/cgi-bin/adm.cgi' endpoint or disable the wzdapMesh() function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8227

Affected Products

Nu516U1