cybersec
Jul 3, 2026 · 7 min Command InjectionCVE-2026-4163: Two Doors, One `system()` — Command Injection in Wavlink's wireless.cgi
A remote, unauthenticated POST to a MIPS router's CGI turns two innocuous-looking Wi-Fi settings — a device name and a guest SSID — into arbitrary shell. One path has no input check at all; the other has a check that quietly doesn't count.
— Two doors, one shell, zero patience