CVE-2026-4164 CRITICAL

CVE-2026-4164: Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection

Vendor Wavlink
Product WL-WN578W2
Weakness CWE-77
Published March 15, 2026
Last update March 17, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. It is recommended to upgrade the affected component.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
March 17, 2026 Record updated