{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4861", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-25T16:31:03.203Z", "datePublished": "2026-03-26T08:18:07.028Z", "dateUpdated": "2026-03-26T08:18:07.028Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-26T08:18:07.028Z"}, "title": "Wavlink WL-NU516U1 nas.cgi ftext stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "Wavlink", "product": "WL-NU516U1", "versions": [{"version": "260227", "status": "affected"}], "cpes": ["cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 9, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-25T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-25T17:36:08.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "haimianbaobao (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/?id.353192", "name": "VDB-353192 | Wavlink WL-NU516U1 nas.cgi ftext stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.353192", "name": "VDB-353192 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.776217", "name": "Submit #776217 | Wavlink NU516U1 V260227 Stack-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Wlz1112/WAVLINK-NU516U1-V260227/blob/main/Content-Length.md", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-4861", "lastModified": "2026-03-26T09:16:06.720", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-26T09:16:06.720", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Wlz1112/WAVLINK-NU516U1-V260227/blob/main/Content-Length.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.353192"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.353192"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.776217"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "260227"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WL-NU516U1", "source": "cna", "vendor": "Wavlink"}, "product": "wl-nu516u1", "vendor": "wavlink"}], "analysis": {"en": {"generated_at": "2026-03-26T09:20:22.029094+00:00", "value": {"mitigation_remediation": ["Verify the current firmware version and upgrade to the latest available release if one exists. If no newer firmware is available, block external access to /cgi-bin/nas.cgi using firewall rules or device access control lists. Monitor logs for abnormal HTTP requests with unusual Content-Length values that target nas.cgi. Contact Wavlink support to request a patch or temporary mitigation and document the request. When a vendor patch is released, apply it immediately and verify the vulnerability is resolved."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Stack-Based Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The affected product is Wavlink WL-NU516U1 NAS units, specifically the firmware version 260227. Other firmware revisions are not known to be impacted, but all devices from the WL-NU516U1 line should be considered potentially vulnerable until verified.", "description_and_impact": "Wavlink WL-NU516U1 devices running firmware 260227 are vulnerable due to a stack-based buffer overflow in the ftext function of /cgi-bin/nas.cgi. The vulnerability is triggered by manipulating the Content-Length HTTP header, allowing an attacker to overflow a buffer on the server-side stack. If successfully exploited, this can lead to arbitrary code execution, compromise of the device, data leakage, or denial of service. The weakness is classified under CWE-119 and CWE-121, indicating a classic memory corruption and stack frame tampering scenario.", "risk_and_exploitability": "The CVSS score for this flaw is 8.7, indicating high severity. No EPSS score is available, and the vulnerability is not listed as a known exploited vulnerability (KEV). The attack can be launched remotely by sending crafted HTTP requests to the /cgi-bin/nas.cgi endpoint. An attacker must have network connectivity to the NAS, and no authentication is required. Because the exploit code has been published publicly, the risk to exposed devices is significant."}}}}, "created": "2026-03-26T11:30:06.986163+00:00", "updated": "2026-03-26T12:08:12.846492+00:00", "vendors": ["wavlink", "wavlink$PRODUCT$wl-nu516u1"]}