Description
A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a buffer overflow in the formQoS function of the POST Request Handler on Edimax BR-6478AC devices. Manipulating the selSSID argument of the /goform/formQoS endpoint allows an attacker to overflow a buffer, potentially executing arbitrary code on the device. This memory corruption can lead to full system compromise if exploited successfully.

Affected Systems

Edimax BR-6478AC firmware 1.23 is known to be vulnerable. The issue affects the POST /goform/formQoS endpoint exposed by the device’s web interface. Only the specified firmware version is confirmed; other versions were not listed as affected.

Risk and Exploitability

The CVSS base score of 8.7 indicates high severity, though the EPSS score is not available. The vulnerability is listed as publicly exploitable, and the exploit has been released to the public, meaning attackers can launch remote attacks without requiring local access. While the vulnerability is not included in CISA’s KEV catalog, the combination of a high CVSS, remote accessibility, and available exploit code results in a significant risk for exposed devices.

Generated by OpenCVE AI on May 30, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest firmware version that contains the formQoS buffer overflow fix provided by Edimax.
  • Restrict external access to the device’s POST /goform/formQoS endpoint by configuring firewall rules or placing the device in a separate VLAN to block untrusted networks.
  • Disable or remove QoS configuration capabilities through the web interface if a patch is not immediately available, or block POST requests to /goform/formQoS from external sources.
  • Continuously monitor device logs for suspicious POST traffic to /goform/formQoS and investigate any anomalies promptly.

Generated by OpenCVE AI on May 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Edimax br-6478ac
Vendors & Products Edimax br-6478ac

Sat, 30 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Title Edimax BR-6478AC POST Request formQoS buffer overflow
First Time appeared Edimax
Edimax br-6478ac Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-30T16:15:07.823Z

Reserved: 2026-05-29T17:24:33.912Z

Link: CVE-2026-10126

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T17:16:21.060

Modified: 2026-05-30T17:16:21.060

Link: CVE-2026-10126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T17:30:28Z

Weaknesses