Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
CVE-2026-8189: Wavlink NU516U1 M16U1_V240425 - Remote Command Injection via Web Interface
CVE-2026-8189
Summary
A vulnerability in the web interface of Wavlink NU516U1 M16U1_V240425 allows an attacker to execute arbitrary system commands remotely. This could potentially be used to take control of the device or disrupt its functionality. We recommend that you update to the latest version of the software as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| wavlink | wl-nu516u1_firmware |
m16u1_v240425 cpe:2.3:o:wavlink:wl-nu516u1_firmware:m16u1_v240425:*:*:*:*:*:*:* |
Original title
A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_...
Original description
A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
2.1
Vulnerability type
CWE-77
Command Injection
CWE-78
OS Command Injection
Published: 9 May 2026 · Updated: 28 May 2026 · First seen: 9 May 2026