CVE-2026-3716: Wavlink WL-WN579X3-C Firmware XSS Flaw

CVE-2026-3716 Overview

CVE-2026-3716 is a cross-site scripting (XSS) vulnerability in the Wavlink WL-WN579X3-C wireless range extender running firmware version 231124. The flaw resides in the sub_401AD4 function within the /cgi-bin/adm.cgi administrative endpoint. Attackers can manipulate the Hostname argument to inject malicious script content that executes in the context of an authenticated administrator session. The vulnerability is exploitable remotely over the network and the exploit has been publicly disclosed. Wavlink released firmware version 20260226 to resolve the issue. This vulnerability is classified under CWE-79.

Critical Impact
Authenticated attackers can inject persistent script payloads through the device administration interface, enabling session theft or unauthorized configuration changes on affected wireless extenders.

Affected Products

Wavlink WL-WN579X3-C hardware device
Wavlink WL-WN579X3-C firmware version 231124
Administrative web interface (/cgi-bin/adm.cgi)

Discovery Timeline

2026-03-08 - CVE-2026-3716 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-3716

Vulnerability Analysis

The vulnerability exists in the sub_401AD4 function within the /cgi-bin/adm.cgi binary on the Wavlink WL-WN579X3-C router. The function processes the Hostname parameter submitted through the device administration interface without performing proper output encoding or input sanitization. When the stored hostname value is later rendered in administrative views, embedded HTML or JavaScript executes in the browser context of the viewing user.

Because the vulnerable endpoint sits behind authentication, exploitation requires existing administrator privileges or user interaction to submit the malicious payload. The Wavlink WL-WN579X3-C is a wireless range extender, and the affected administration CGI handles device configuration tasks accessible via the LAN management interface.

Root Cause

The root cause is improper neutralization of input during web page generation, tracked under CWE-79. The sub_401AD4 function accepts user-supplied data through the Hostname argument and stores or reflects it back into HTML responses without applying context-aware encoding. The handler does not escape angle brackets, quotes, or JavaScript event handlers, allowing arbitrary script content to be persisted and rendered.

Attack Vector

An attacker with administrative access to the device sends a crafted POST request to /cgi-bin/adm.cgi containing a JavaScript payload in the Hostname field. When any administrator subsequently views the affected configuration page, the payload executes in their browser. The script can read session cookies, issue authenticated CSRF-style requests to modify device settings, or pivot toward further compromise of the management interface. Public disclosure of the exploit details has been published to the GitHub vulnerability database entry and VulDB submission #765326.

Detection Methods for CVE-2026-3716

Indicators of Compromise

HTTP POST requests to /cgi-bin/adm.cgi containing HTML tags, <script> elements, or JavaScript event handlers in the Hostname parameter
Wavlink WL-WN579X3-C devices reporting firmware version 231124 in network inventory scans
Unexpected hostname strings configured on the device that contain non-alphanumeric markup characters

Detection Strategies

Inspect web application firewall logs for requests to the device administration CGI containing encoded or raw script syntax in form parameters
Audit Wavlink device configuration exports for hostname fields containing characters outside the typical RFC 1123 hostname character set
Correlate administrator authentication events with subsequent configuration changes that include the Hostname field

Monitoring Recommendations

Log all HTTP traffic destined to the management IP addresses of Wavlink range extenders and alert on payloads containing <, >, or javascript: substrings
Track firmware versions across IoT inventory and flag any WL-WN579X3-C devices not running version 20260226 or later
Monitor administrator browser sessions for anomalous outbound requests originating from device management pages

How to Mitigate CVE-2026-3716

Immediate Actions Required

Upgrade affected Wavlink WL-WN579X3-C devices to firmware version 20260226 using the official Wavlink firmware update
Restrict access to the device administration interface to trusted management VLANs or specific administrator workstations
Review the current device hostname configuration and remove any unexpected markup or script content

Patch Information

Wavlink released firmware version 20260226 to address this vulnerability. The vendor responded promptly after disclosure and published the fixed image at the Wavlink firmware download URL. Administrators should verify the firmware version after applying the update through the device administration panel.

Workarounds

Disable remote management on the wireless extender and limit administration access to a wired connection from a dedicated host
Use a browser session isolated from sensitive accounts when accessing the device management interface until the firmware upgrade is applied
Place affected devices on an isolated management network segment to limit the impact of a compromised administrator session

bash

# Verify firmware version and apply update
# 1. Log in to the device administration page
# 2. Navigate to System > Firmware Update
# 3. Upload WN579X3C_WAVLINK_V20260226_WO_cb3003b2.bin
# 4. Confirm the post-upgrade version reports 20260226