Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Wavlink WL-WN579A3: Remote Command Injection via /cgi-bin/login.cgi
CVE-2026-2527
Summary
A security flaw in the Wavlink WL-WN579A3's login system allows an attacker to execute unauthorized commands from a remote location. This could potentially be used to take control of the device. We recommend updating your firmware to the latest version or disabling remote access to the login page to mitigate this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wavlink | wl-wn579a3_firmware | <= 2021-02-19 | – |
Original title
A vulnerability was determined in Wavlink WL-WN579A3 up to 20210219. Affected is an unknown function of the file /cgi-bin/login.cgi. Executing a manipulation of the argument key can lead to command...
Original description
A vulnerability was determined in Wavlink WL-WN579A3 up to 20210219. Affected is an unknown function of the file /cgi-bin/login.cgi. Executing a manipulation of the argument key can lead to command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
6.5
nvd CVSS3.1
9.8
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
- https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/login.md Exploit Third Party Advisory
- https://vuldb.com/?ctiid.346115 Permissions Required VDB Entry
- https://vuldb.com/?id.346115 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.748074 Third Party Advisory VDB Entry
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026