Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
Wavlink WL-NU516U1 Firmware Through 20251208 Allows Remote Code Execution
CVE-2026-2615
Summary
A security flaw in the Wavlink WL-NU516U1's firewall settings can be exploited remotely, allowing an attacker to execute malicious code on the device. This can happen if the device is not updated to a secure version of the firmware. We recommend checking with the manufacturer for an update or contacting a security expert for assistance.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wavlink | wl-nu516u1_firmware | <= 2025-12-08 | – |
Original title
A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument ...
Original description
A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del_flag can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
8.3
nvd CVSS3.1
7.2
nvd CVSS4.0
7.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/singlePortForwardD... Exploit Third Party Advisory
- https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/singlePortForwardD... Exploit
- https://vuldb.com/?ctiid.346265 Permissions Required VDB Entry
- https://vuldb.com/?id.346265 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.751047 Third Party Advisory VDB Entry
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026