CVE-2026-4164

CRITICAL 9.8

Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.

CWE	CWE-77 CWE-74
Vendor	wavlink
Product	wl-wn578w2
Published	Mar 15, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for wavlink wl-wn578w2

Be the first to know when new critical vulnerabilities affecting wavlink wl-wn578w2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Wavlink / WL-WN578W2

221110

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.351071 vuldb.com: https://vuldb.com/?ctiid.351071 vuldb.com: https://vuldb.com/?submit.768292 vuldb.com: https://vuldb.com/?submit.768293 vuldb.com: https://vuldb.com/?submit.768294 github.com: https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md github.com: https://github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md dl.wavlink.com: https://dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin

Credits

🔍 LtzHust (VulDB User)