CVE-2026-4163CRITICAL 9.8EPSS p79.3%

CVE-2026-4163CVE-2026-4163

Description

A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading the affected component is recommended.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.10% probability of exploitation · percentile 79.3% · 2026-06-18T12:00:27Z
Published2026-03-16
Last modified2026-04-22

Underlying weaknesses· 2

CWE-74CWE-77

References

  1. https://dl.wavlink.com/firmware/RD/WINSTAR_WN579A3-A-2026-03-10-94f93d4-WO-mt7628-squashfs-sysupgrade.bin
  2. https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_10/README.md
  3. https://github.com/Litengzheng/vul_db/blob/main/WL-WN579A3/vul_9/README.md
  4. https://vuldb.com/?ctiid.351070
  5. https://vuldb.com/?id.351070
  6. https://vuldb.com/?submit.765327
  7. https://vuldb.com/?submit.765328

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-4164
CVE
CVE-2026-2526
CVE
CVE-2026-2530
CVE
CVE-2026-2527
CVE
CVE-2026-2529
CVE
CVE-2026-2528
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.