CVE-2026-2615

CVE Database · CVE-2026-2615

CVE-2026-2615

· HIGHAnalyzed

CVSS v3.1

7.2

CVSS v4.0

7.3

EPSS

8.65%

Published

Feb 17, 2026

Modified

Feb 18, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A flaw has been found in Wavlink WL-NU516U1 up to 20251208. The affected element is the function singlePortForwardDelete of the file /cgi-bin/firewall.cgi. Executing a manipulation of the argument del_flag can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74CWE-77

Affected Products (2)

wavlink · wl-nu516u1_firmwarevulnerable

wavlink · wl-nu516u1

References (5)

https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/singlePortForwardDelete.md

ExploitThird Party Advisory

https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/singlePortForwardDelete.md#exp

Exploit