Cyber Resilience

CVE-2026-4861

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 53.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4861 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 46.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4861 is a stack-based buffer overflow vulnerability affecting the Wavlink WL-NU516U1 device with firmware version 260227. The flaw resides in the ftext function of the /cgi-bin/nas.cgi component and is triggered by manipulation of the Content-Length argument. Published on 2026-03-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and 121 (Stack-based Buffer Overflow).

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. Exploitation leads to high impacts on confidentiality, integrity, and availability, enabling potential arbitrary code execution on the affected device.

Advisories from VulDB indicate that the vendor was contacted early regarding this issue but provided no response or patches. A public exploit is available in a GitHub repository detailing the Content-Length manipulation, along with VulDB entries documenting the vulnerability (ctiid.353192, id.353192, submit.776217). Security practitioners should isolate affected devices and monitor for exploitation attempts until vendor remediation is available.

EU & UK References

Vulnerability details

A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made…

more

available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in public-facing /cgi-bin/nas.cgi (Content-Length) yields remote unauthenticated-to-root or low-priv-to-root RCE; directly maps to T1190 for the network-exposed service and T1068 for the privilege-escalation outcome given PR:L + full C/I/A impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3613Same product: Wavlink Wl-Nu516U1
CVE-2026-2567Same product: Wavlink Wl-Nu516U1
CVE-2026-3703Same product: Wavlink Wl-Nu516U1
CVE-2026-3662Same product: Wavlink Wl-Nu516U1
CVE-2026-8192Same product: Wavlink Wl-Nu516U1
CVE-2026-3661Same product: Wavlink Wl-Nu516U1
CVE-2026-8188Same product: Wavlink Wl-Nu516U1
CVE-2026-8230Same product: Wavlink Wl-Nu516U1
CVE-2026-8189Same product: Wavlink Wl-Nu516U1
CVE-2026-8227Same product: Wavlink Wl-Nu516U1

Affected Assets

wavlink
wl-nu516u1 firmware
m16u1_v260227

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates manipulated inputs like Content-Length in the nas.cgi ftext function to prevent stack-based buffer overflows.

prevent

Implements memory protection safeguards such as stack canaries or DEP to block unauthorized code execution from buffer overflow exploits.

prevent

Requires identification and timely remediation of the known stack buffer overflow flaw in the Wavlink device firmware.

References