Platform
other
Component
vul_db
Fixed in
231124.0.1
CVE-2026-3716 is a cross-site scripting (XSS) vulnerability affecting the Wavlink WL-WN579X3-C wireless network adapter. An attacker can exploit this flaw by manipulating the Hostname argument within the /cgi-bin/adm.cgi file, potentially leading to malicious script execution within a user's browser. This vulnerability impacts devices running versions 231124 through 20260226, but a fix is available in version 20260226.
Successful exploitation of CVE-2026-3716 allows an attacker to inject arbitrary JavaScript code into the web interface of the Wavlink WL-WN579X3-C device. This can lead to a variety of malicious outcomes, including session hijacking, credential theft, and defacement of the device's administration pages. The remote nature of the vulnerability means an attacker does not need local access to the device, significantly expanding the potential attack surface. Given the device's role in network connectivity, a compromised device could also be used as a pivot point for further attacks within the network.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. The availability of a public proof-of-concept (PoC) further elevates the risk. While no active campaigns have been definitively linked to CVE-2026-3716 at the time of writing, the ease of exploitation and public availability of PoCs suggest that exploitation is possible. The vulnerability was reported and addressed promptly by the vendor, demonstrating a positive security response.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3716 is to upgrade the Wavlink WL-WN579X3-C firmware to version 20260226 or later. If an immediate upgrade is not possible due to compatibility issues or downtime concerns, consider implementing strict input validation on the Hostname parameter within the /cgi-bin/adm.cgi file. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /cgi-bin/adm.cgi endpoint can also provide a layer of defense. Monitor device logs for unusual activity, particularly requests containing suspicious characters in the Hostname parameter.
Update the Wavlink WL-WN579X3-C device firmware to version 20260226 or later to fix the Cross-Site Scripting (XSS) vulnerability. Download the updated firmware from the vendor's official website and install it following the provided instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3716 is a cross-site scripting (XSS) vulnerability in the Wavlink WL-WN579X3-C device, allowing attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/adm.cgi.
You are affected if your Wavlink WL-WN579X3-C device is running version 231124 through 20260226. Upgrade to version 20260226 to mitigate the risk.
Upgrade the Wavlink WL-WN579X3-C firmware to version 20260226 or later. Implement input validation on the Hostname parameter as a temporary workaround.
While no confirmed active campaigns are known, the vulnerability is publicly disclosed and a PoC exists, increasing the risk of exploitation.
Contact Wavlink directly for the official advisory regarding CVE-2026-3716. The vendor responded professionally and quickly released a fixed version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.