Low severity3.5NVD Advisory· Published Mar 16, 2026· Updated Apr 29, 2026

CVE-2026-4166

Description

A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting vulnerability in Wavlink WL-NU516U1 firmware 240425 via homepage or hostname parameter in login.cgi allows remote attackers to inject arbitrary scripts.

The vulnerability is a reflected cross-site scripting (XSS) issue in the login.cgi script of Wavlink WL-NU516U1 firmware version 240425. The function sub_404F68 retrieves the values of the "homepage" or "hostname" parameters from a POST request and inserts them into the HTTP response without any sanitization or encoding [1][2].

An attacker can exploit this by sending a specially crafted POST request to /cgi-bin/login.cgi containing malicious JavaScript in either the homepage or hostname field. The attack can be launched remotely without authentication, as shown in the proof-of-concept examples where injecting <svg/onload=alert()> triggers JavaScript execution [1][2].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the device's administration interface. This could lead to session hijacking, credential theft, or further attacks on the local network.

As of the publication date, the vendor has been contacted but no official patch has been released. Users are advised to restrict network access to the device and monitor for firmware updates.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Wavlink/NU516U1llm-fuzzy
Range: = 240425

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.5/ 10

CVSS v42.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.23low

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-4166

Credits

L(
LtzHust2 (VulDB User)
reporter
V
VulDB
coordinator