CVE-2026-10166 - Vulnerability Details

- Edimax BR-6478AC POST Request formWlbasic command injection

Description

A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Published: 2026-05-31

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Edimax BR‑6478AC firmware 1.23 has a flaw in its formWlbasic POST handler that allows an attacker to manipulate the rootAPmac argument and inject arbitrary OS commands. The flaw is a classic command injection (CWE‑74) involving missing input validation (CWE‑77). The vulnerability can be exploited remotely, as the CVE description states the attack is possible to be carried out remotely. However, the description does not explicitly state whether authentication is required to access the vulnerable endpoint; this detail is therefore inferred rather than confirmed.

Affected Systems

The vulnerability affects Edimax BR‑6478AC routers running firmware version 1.23. No other versions or product variants are listed. The build is identified by the CPE cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:* and the vendor’s published advisory references the same firmware level.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate level of severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack path involves sending a crafted POST request to the /goform/formWlbasic endpoint. Because the description does not specify authentication requirements, we infer that the endpoint may be accessible without authentication, but this is not definitively stated. The vulnerability has been publicly disclosed and exploiting it would allow remote command execution on the device, representing a credible threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Edimax

BR-6478AC

affected

Version	Status	Constraints
`1.23`	affected	—

No data.

Vendor Product Confidence Versions

Edimax

Br-6478ac

100%

Version	Status	Scheme	Platform
`1.23`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s firmware update that removes the command injection vulnerability in the formWlbasic handler.
If a firmware update is unavailable, block external access to the /goform/formWlbasic endpoint by configuring the device’s firewall or web server ACLs.
Configure the device to hide or disable the web administration interface from direct internet exposure, and enforce strong authentication before allowing any web access.

Generated by OpenCVE AI on May 31, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00841.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formWlbasic-34b53a41781f80edb1e5e0104741dfb2?source=copy_link
https://vuldb.com/submit/818623
https://vuldb.com/vuln/367418
https://vuldb.com/vuln/367418/cti

History

Sun, 31 May 2026 04:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Edimax br-6478ac
Vendors & Products		Edimax br-6478ac

Sun, 31 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
Title		Edimax BR-6478AC POST Request formWlbasic command injection
First Time appeared		Edimax Edimax br-6478ac Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:edimax:br-6478ac_firmware::::::::
Vendors & Products		Edimax Edimax br-6478ac Firmware
References		https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formWlbasic-34b53a41781f80edb1e5e0104741dfb2?source=copy_link https://vuldb.com/submit/818623 https://vuldb.com/vuln/367418 https://vuldb.com/vuln/367418/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-31T03:15:08.139Z

Updated: 2026-05-31T03:15:08.139Z

Reserved: 2026-05-30T07:04:49.593Z

Link: CVE-2026-10166

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T04:16:19.683

Modified: 2026-05-31T04:16:19.683

Link: CVE-2026-10166

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T05:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object