CVE-2026-3703

CVE Database · CVE-2026-3703

CVE-2026-3703

· CRITICALAnalyzed

CVSS v3.1

9.8

CVSS v4.0

8.9

EPSS

0.82%

Published

Mar 8, 2026

Modified

Mar 10, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_401A10 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to out-of-bounds write. The attack may be performed from remote. The exploit has been published and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-119CWE-787

Affected Products (2)

wavlink · wl-nu516u1_firmwarevulnerable

wavlink · wl-nu516u1

References (6)

https://dl.wavlink.com/firmware/RD/WINSTAR_NU516U1-WO-A-2026-02-27-2fcf6ae-mt7628-squashfs-sysupgrade.bin

Broken Link

https://github.com/Wlz1112/Wavlink-NU516U1-V251208-/blob/main/ipaddr.md

ExploitVendor Advisory