CVE-2026-12806 - Vulnerability Details

Description

A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-06-21

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic buffer overflow in the formWlSiteSurvey handler of Edimax BR‑6478AC V2 firmware 1.23, triggered by an attacker manipulating the selSSID argument in a POST request. This flaw falls under the CWE-119 and CWE-120 weakness categories and can allow an attacker to overwrite memory and potentially execute arbitrary code locally on the router. The impact is that the attacker could gain full control of the device, compromising confidentiality, integrity, and availability of the network environment.

Affected Systems

The affected product is the Edimax BR‑6478AC V2 Wi‑Fi router, specifically firmware version 1.23. No additional sub‑products or versions are listed, so the scope is limited to this single device model and the mentioned firmware release.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity issue. Although a public exploit has been disclosed, the EPSS score is not available, suggesting uncertainty about immediate exploitation likelihood. The vulnerability can be triggered remotely over the network, but the vendor did not respond to the disclosure, increasing the risk of a timely compromise. The issue is not listed in the CISA KEV catalog, yet the severity and remote nature warrant urgent attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Edimax

BR-6478AC V2

affected

Version	Status	Constraints
`1.23`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s official firmware patch for the BR‑6478AC V2 if one is available; if not, upgrade to a firmware version that addresses the formWlSiteSurvey buffer overflow.
If a patch is unavailable, disable or tightly restrict access to the /goform/formWlSiteSurvey endpoint by implementing firewall rules or by configuring the router to trust only local or LAN sources.
If possible, block all WAN‑side POST traffic to the router or place the router behind a network segment that limits external exposure, thereby reducing the attack surface until a fix is applied.

Generated by OpenCVE AI on June 21, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formWlSiteSurvey-34b53a41781f80669c10df409a0851d4?source=copy_link
https://vuldb.com/cve/CVE-2026-12806
https://vuldb.com/submit/836668
https://vuldb.com/vuln/372600
https://vuldb.com/vuln/372600/cti

History

Sun, 21 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Edimax BR-6478AC V2 POST Request formWlSiteSurvey buffer overflow
First Time appeared		Edimax Edimax br-6478ac V2
Weaknesses		CWE-119 CWE-120
CPEs		cpe:2.3:a:edimax:br-6478ac_v2::::::::
Vendors & Products		Edimax Edimax br-6478ac V2
References		https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formWlSiteSurvey-34b53a41781f80669c10df409a0851d4?source=copy_link https://vuldb.com/cve/CVE-2026-12806 https://vuldb.com/submit/836668 https://vuldb.com/vuln/372600 https://vuldb.com/vuln/372600/cti
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Edimax Br-6478ac V2

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-21T19:30:08.190Z

Updated: 2026-06-21T19:30:08.190Z

Reserved: 2026-06-21T04:19:50.899Z

Link: CVE-2026-12806

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-21T20:30:07Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object