Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
CVE-2026-8190: Wavlink NU516U1 WAN Configuration Injection
CVE-2026-8190
Summary
An attacker can remotely inject malicious commands into a Wavlink NU516U1 router's WAN configuration. This could allow an attacker to gain unauthorized access to the router or disrupt internet connectivity. The vendor has been notified and users should consider updating their firmware or applying a patch to mitigate this risk.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| wavlink | wl-nu516u1_firmware |
m16u1_v240425 cpe:2.3:o:wavlink:wl-nu516u1_firmware:m16u1_v240425:*:*:*:*:*:*:* |
Original title
A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/r...
Original description
A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
2.1
Vulnerability type
CWE-77
Command Injection
CWE-78
OS Command Injection
Published: 9 May 2026 · Updated: 28 May 2026 · First seen: 9 May 2026