Medium severity4.3NVD Advisory· Published Apr 19, 2026· Updated Apr 22, 2026

CVE-2026-6559

Description

A weakness has been identified in Wavlink WL-WN579A3 220323. This affects the function sub_401F80 of the file /cgi-bin/login.cgi. This manipulation of the argument Hostname causes cross site scripting. Remote exploitation of the attack is possible. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-site scripting vulnerability in Wavlink WL-WN579A3 router's login.cgi allows remote attackers to execute arbitrary JavaScript via crafted Hostname parameter.

The vulnerability is a reflected cross-site scripting (XSS) issue in the Wavlink WL-WN579A3 router firmware version 220323. The flaw resides in the file /cgi-bin/login.cgi, specifically in the function sub_401F80. The Hostname parameter from a POST request is directly concatenated into the response without proper sanitization, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Exploitation requires sending a crafted POST request to /cgi-bin/login.cgi with a malicious Hostname value. For example, setting Hostname to 192.168.6.2"<svg/onload=alert()> triggers the XSS. The attack is remote and does not require authentication, as the login.cgi endpoint is accessible to unauthenticated users [1].

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or further attacks against the router's web interface. The XSS is triggered when the response is rendered, and the injected script runs with the privileges of the logged-in user [1].

The vendor was contacted and released a fixed firmware version. Users are strongly advised to upgrade to the latest firmware available from Wavlink's official website to mitigate this vulnerability [1].

References

vul_db/WL-WN579A3/vul_16/README.md at main · Litengzheng/vul_db

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Wavlink/WL-WN579A3llm-create
Range: = 220323

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

4.3/ 10

CVSS v45.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: Required
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.04%

VYPR risk score

Composite of severity, exploitation, and reach.

0.28low

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94
Improper Control of Generation of Code ('Code Injection')

CVE ID

CVE-2026-6559

Credits

L(
LtzHust2 (VulDB User)
reporter
VC
VulDB CNA Team
coordinator