CVE-2026-2526
MEDIUM
CVSS 5.3
No EPSS data
Description
A vulnerability was found in Wavlink WL-WN579A3 up to 20210219. This impacts the function multi_ssid of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument SSID2G2 results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-2526",
"cveTags": [],
"metrics": {
"cvssMetricV2": [
{
"type": "Secondary",
"source": "cna@vuldb.com",
"cvssData": {
"version": "2.0",
"baseScore": 6.5,
"accessVector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"authentication": "SINGLE",
"integrityImpact": "PARTIAL",
"accessComplexity": "LOW",
"availabilityImpact": "PARTIAL",
"confidentialityImpact": "PARTIAL"
},
"acInsufInfo": false,
"impactScore": 6.4,
"baseSeverity": "MEDIUM",
"obtainAllPrivilege": false,
"exploitabilityScore": 8,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "cna@vuldb.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.3,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "LOW",
"privilegesRequired": "LOW",
"confidentialityImpact": "LOW"
},
"impactScore": 3.4,
"exploitabilityScore": 2.8
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 8.8,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 2.8
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "cna@vuldb.com",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 5.3,
"Automatable": "NOT_DEFINED",
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"exploitMaturity": "PROOF_OF_CONCEPT",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "LOW",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "LOW",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"published": "2026-02-16T02:16:06.423",
"references": [
{
"url": "https://github.com/MRAdera/IoT-Vuls/blob/main/wavlink/wn579a3/multi_ssid.md",
"tags": [
"Exploit",
"Third Party Advisory"
],
"source": "cna@vuldb.com"
},
{
"url": "https://vuldb.com/?ctiid.346114",
"tags": [
"Permissions Required",
"VDB Entry"
],
"source": "cna@vuldb.com"
},
{
"url": "https://vuldb.com/?id.346114",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"source": "cna@vuldb.com"
},
{
"url": "https://vuldb.com/?submit.748073",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"source": "cna@vuldb.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "cna@vuldb.com",
"description": [
{
"lang": "en",
"value": "CWE-74"
},
{
"lang": "en",
"value": "CWE-77"
}
]
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Wavlink WL-WN579A3 up to 20210219. This impacts the function multi_ssid of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument SSID2G2 results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Wavlink WL-WN579A3 hasta 20210219. Esto afecta a la funci\u00f3n multi_ssid del archivo /cgi-bin/wireless.cgi. Realizar una manipulaci\u00f3n del argumento SSID2G2 resulta en inyecci\u00f3n de comandos. El ataque puede ser iniciado remotamente. El exploit se ha hecho p\u00fablico y podr\u00eda ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgaci\u00f3n pero no respondi\u00f3 de ninguna manera."
}
],
"lastModified": "2026-02-18T19:07:21.820",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:wavlink:wl-wn579a3_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F3B74656-54E8-43C6-A75F-E45F87CA4302",
"versionEndIncluding": "2021-02-19"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:wavlink:wl-wn579a3:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "55EAFBB8-31E1-4B0F-A5E7-7CD5D9E90132"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
],
"sourceIdentifier": "cna@vuldb.com"
}
}