Description
A vulnerability was found in Edimax BR-6478AC 1.23. Impacted is the function formUSBFolder of the file /goform/formUSBFolder of the component POST Request Handler. The manipulation of the argument ShareName/SelectName results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
Published: 2026-05-31
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow exists in the formUSBFolder function that processes POST requests to the /goform/formUSBFolder endpoint on Edimax BR‑6478AC firmware 1.23. The ShareName/SelectName arguments are not properly bounded, allowing an attacker to overwrite adjacent memory and trigger arbitrary code execution or a denial‑of‑service condition. The vulnerability is classified as CWE‑119 and CWE‑120.

Affected Systems

Only the Edimax BR‑6478AC router running firmware version 1.23 is listed as affected; no other firmware versions or products were identified in the CNA data provided.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and although no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, an exploit has been publicly released. Attackers can target the device remotely by sending crafted HTTP POST traffic to the exposed endpoint, making exploitation straightforward for an attacker who can reach the device over the network.

Generated by OpenCVE AI on May 31, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Edimax or consult the vendor’s support channels to determine if a newer firmware revision that resolves the formUSBFolder buffer overflow is available and apply it as soon as possible.
  • If no firmware patch can be obtained, block or restrict external access to the /goform/formUSBFolder endpoint using firewall rules or access control lists to prevent unauthorized POST requests.
  • Place the device in a network segment that is only reachable by trusted internal hosts or secure it behind a VPN so that only authorized personnel can reach the exposed interface.

Generated by OpenCVE AI on May 31, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Edimax br-6478ac
Vendors & Products Edimax br-6478ac

Sun, 31 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Edimax BR-6478AC 1.23. Impacted is the function formUSBFolder of the file /goform/formUSBFolder of the component POST Request Handler. The manipulation of the argument ShareName/SelectName results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
Title Edimax BR-6478AC POST Request formUSBFolder buffer overflow
First Time appeared Edimax
Edimax br-6478ac Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T02:30:08.775Z

Reserved: 2026-05-30T07:04:42.686Z

Link: CVE-2026-10164

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T04:16:19.333

Modified: 2026-05-31T04:16:19.333

Link: CVE-2026-10164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T05:00:12Z

Weaknesses