CVE-2026-2529
Published: 16 February 2026
Description
A security flaw has been discovered in Wavlink WL-WN579A3 up to 20210219. Affected by this issue is the function DeleteMac of the file /cgi-bin/wireless.cgi. The manipulation of the argument delete_list results in command injection. The attack can be executed remotely.…
more
The vendor was contacted early about this disclosure but did not respond in any way.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation of the delete_list argument at the CGI input point to reject malicious payloads.
Enforces restrictions on the delete_list parameter to only allow valid MAC address formats, blocking command injection attempts.
Requires timely remediation of the specific command injection flaw in the DeleteMac function of wireless.cgi.
Security SummaryAI
CVE-2026-2529 is a command injection vulnerability (CWE-74, CWE-77) affecting the DeleteMac function in the /cgi-bin/wireless.cgi file of Wavlink WL-WN579A3 firmware versions up to 20210219. Published on 2026-02-16, the flaw enables remote attackers to inject commands by manipulating the delete_list argument.
The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating exploitation over the network with low complexity, requiring low privileges but no user interaction. Attackers with such access can achieve limited impacts on confidentiality, integrity, and availability through injected commands.
Advisories from VulDB and a GitHub repository detail the issue but note that the vendor was contacted early without any response or patch release. No official mitigations are available from the vendor.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in public-facing web CGI interface (/cgi-bin/wireless.cgi) enables exploitation of public-facing applications (T1190) and arbitrary command execution via Unix shell (T1059.004).