CVE-2026-8227
Published: 10 May 2026
Summary
CVE-2026-8227 is a low-severity Command Injection (CWE-77) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A weakness has been identified in Wavlink NU516U1 firmware version 240425 within the wzdapMesh function of /cgi-bin/adm.cgi. The flaw permits OS command injection through crafted input and is reachable over the network, as indicated by the associated CWEs 77 and 78. The vendor was notified prior to public disclosure of the issue.
An authenticated remote attacker can supply malicious parameters to the affected CGI endpoint and execute arbitrary operating-system commands on the device. Successful exploitation yields limited control over the target system, consistent with the CVSS vector requiring low privileges and producing low impact to confidentiality, integrity, and availability.
Public exploit code has been released, and references point to detailed proof-of-concept material hosted on GitHub along with entries in the Vuldb database. No vendor advisory or patch information is referenced in the available sources.
The EPSS score rose from a low baseline to a recorded peak of 0.0106, indicating that exploitation interest increased after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28975
Vulnerability details
A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public…
more
and could be used for attacks. The vendor was contacted early about this disclosure.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection in public CGI endpoint directly enables exploitation of public-facing app (T1190) and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.