What is CVE-2026-4164?

CVE-2026-4164 is a critical-severity vulnerability in Wavlink Wl-wn578w2, classified under Command Injection. CVSS score: 9.8/10. Published 2026-03-15.

How severe is CVE-2026-4164?

Critical severity. CVSS v3 base score is 9.8 out of 10.

RCE in Wavlink Wl-wn578w2

CVE-2026-4164

A flaw has been found in Wavlink WL-WN578W2 221110. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (47.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C.

Affected products

Wavlink Wl-wn578w2 — versions 221110

Weakness classification (CWE)

References

VDB-351071 | Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection (vdb-entry, technical-description)
VDB-351071 | CTI Indicators (IOB, IOC, TTP, IOA) (signature, permissions-required)
Submit #768292 | Wavlink WL-WN578W2 V221110 Command Injection (third-party-advisory)
Submit #768293 | Wavlink WL-WN578W2 V221110 Command Injection (Duplicate) (third-party-advisory)
Submit #768294 | Wavlink WL-WN578W2 V221110 Command Injection (Duplicate) (third-party-advisory)
github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_1/README.md (related)
github.com/Litengzheng/vul_db/blob/main/WL-WN578W2/vul_2/README.md (exploit)
dl.wavlink.com/firmware/RD/WINSTAR_WN578W2-A-2026-03-10-94f93d4-WO-mt7628-squas… (patch)

Frequently asked questions

What is CVE-2026-4164?: CVE-2026-4164 is a critical-severity vulnerability in Wavlink Wl-wn578w2, classified under Command Injection. CVSS score: 9.8/10. Published 2026-03-15.
How severe is CVE-2026-4164?: Critical severity. CVSS v3 base score is 9.8 out of 10.