CVE-2026-4166 identifies a cross-site scripting vulnerability in the Wavlink WL-NU516U1 wireless router, firmware version 240425. The vulnerability resides in the CGI script /cgi-bin/login.cgi, specifically within the function sub_404F68, which processes the homepage/hostname parameter. Due to insufficient input validation and sanitization, an attacker can craft malicious input that is reflected back in the web interface without proper encoding, enabling the injection and execution of arbitrary JavaScript code in the context of the victim’s browser session. This flaw can be exploited remotely by sending a specially crafted URL to a user, who must interact with the link for the attack to succeed. The vulnerability does not require authentication, increasing its risk profile. The CVSS 4.0 base score is 5.1, reflecting medium severity, with attack vector network, low attack complexity, no privileges required, but user interaction needed. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or redirection to malicious sites. The vendor was informed early, but no official patch or mitigation guidance has been published yet. No active exploitation has been reported, but a public proof-of-concept exploit exists, increasing the urgency for mitigation.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with the affected router’s web interface. Successful exploitation can lead to execution of arbitrary scripts in the victim’s browser, enabling session hijacking, theft of authentication cookies, or redirection to phishing or malware distribution sites. This can compromise user credentials and network security, potentially allowing attackers to gain unauthorized access to the router’s management interface or connected network resources. Since the vulnerability requires user interaction, social engineering or phishing campaigns could be used to lure victims into triggering the exploit. Organizations relying on the Wavlink WL-NU516U1 for network connectivity or management may face increased risk of targeted attacks, especially in environments where these devices are exposed to untrusted networks or users. The lack of an official patch increases the window of exposure, and the public availability of exploit code raises the likelihood of opportunistic attacks.

To mitigate this vulnerability, organizations should first isolate affected Wavlink WL-NU516U1 devices from untrusted networks and restrict access to the router’s web management interface to trusted administrators only, preferably via VPN or secure management VLANs. Network administrators should monitor for suspicious HTTP requests targeting the /cgi-bin/login.cgi endpoint, especially those containing unusual or encoded characters in the homepage/hostname parameter. Employing web application firewalls (WAFs) with custom rules to detect and block reflected XSS payloads targeting this parameter can reduce risk. Users should be educated to avoid clicking on unsolicited or suspicious links that could exploit this vulnerability. Until an official patch is released, consider replacing affected devices with models not impacted by this vulnerability or applying vendor-recommended firmware updates if they become available. Additionally, implement multi-factor authentication on router management interfaces where possible to reduce the impact of credential theft. Regularly review and update network device inventories to identify and track vulnerable devices for prioritized remediation.