CVE-2026-4544 identifies a cross-site scripting (XSS) vulnerability in the Wavlink WL-WN578W2 router firmware version 221110. The vulnerability resides in the POST request handler of the /cgi-bin/login.cgi endpoint, specifically involving the manipulation of the homepage/hostname/login_page parameter. An attacker can craft a malicious POST request that injects executable script code into the web interface, which is then executed in the context of the victim’s browser when interacting with the login page. This XSS flaw is remotely exploitable without requiring prior authentication, but it does require user interaction, such as clicking a crafted link or visiting a malicious page. The vulnerability does not affect the confidentiality or availability of the device directly but can compromise the integrity of the web session, enabling attackers to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The vendor was notified early but has not issued any patches or advisories, leaving the vulnerability unmitigated. The CVSS 4.0 base score is 4.8, reflecting medium severity due to the ease of remote exploitation balanced against the need for user interaction and limited impact scope. No known exploits have been observed in the wild yet, but public disclosure increases the risk of exploitation attempts. This vulnerability affects organizations using this specific Wavlink router model, especially those exposing the device’s web interface to untrusted networks.

The primary impact of CVE-2026-4544 is the potential compromise of the web management interface of the Wavlink WL-WN578W2 router. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed with the privileges of the logged-in user. This can result in attackers gaining persistent access to the router’s configuration, enabling further network compromise or surveillance. Although the vulnerability does not directly affect device availability or confidentiality of stored data, the integrity of the management interface is compromised, which can cascade into broader network security risks. Organizations relying on this router for critical network functions, especially those with remote management enabled, face increased risk of targeted attacks. The lack of vendor response and patches prolongs exposure, increasing the window for attackers to develop and deploy exploits. The requirement for user interaction limits automated mass exploitation but does not eliminate risk, particularly in environments where users may be socially engineered. Overall, the threat could facilitate lateral movement within networks and undermine trust in network infrastructure devices.

Given the absence of official patches, organizations should implement the following specific mitigations: 1) Restrict access to the router’s web management interface by limiting it to trusted internal networks only, using firewall rules or network segmentation. 2) Disable remote management features if not strictly necessary to reduce exposure to the internet. 3) Employ web filtering or endpoint protection to block access to known malicious URLs that could be used in social engineering attacks exploiting this XSS. 4) Educate users and administrators about the risks of clicking unsolicited links or visiting untrusted websites while logged into the router’s interface. 5) Monitor network traffic and router logs for unusual activity that may indicate exploitation attempts. 6) Consider replacing affected devices with models from vendors that provide timely security updates. 7) If feasible, implement web application firewalls (WAFs) or reverse proxies that can sanitize or block malicious POST requests targeting the vulnerable endpoint. 8) Regularly review and update router firmware to the latest versions once the vendor releases a patch addressing this vulnerability.