CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13538

mediumCVSS 6.3covered by 1 sourcefirst seen 2026-06-29
A vulnerability was determined in Wavlink WL-NU516U1-A M16U1_V240425. The affected element is the function sub_401D68 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. This manipulation of the argument SSID2G2/SSID5G2/AuthMethod2/WPAPSK12 causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

⚡ Watch CVE-2026-13538

Get an email if CVE-2026-13538 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13538

CVE.org record

Embed the live status

CVE-2026-13538 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13538 status](https://www.csirts.com/badge/CVE-2026-13538)](https://www.csirts.com/cve/CVE-2026-13538)