Description
A vulnerability was determined in Edimax BR-6478AC V2 1.23. This impacts the function stainfo of the file /goform/stainfo of the component POST Request Handler. This manipulation of the argument interface causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A remote attacker can exploit the stainfo function in the /goform/stainfo component of Edimax BR‑6478AC V2 1.23 by sending a crafted POST request. The malicious input is executed as a shell command on the device, providing the attacker with the ability to run arbitrary code and potentially take full control of the router. The vulnerability falls under CWE‑74 and CWE‑77 and is rated CVSS 5.3, indicating moderate severity due to the direct execution of commands without proper validation.

Affected Systems

Vulnerable devices are the Edimax BR‑6478AC V2 routers, specifically firmware version 1.23. No other versions or extended product lines are listed as affected in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate risk, but because the exploit can be triggered remotely without additional privileges and is publicly disclosed, the likelihood of real-world exploitation is non‑negligible. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attacks would target the unused or non‑authenticated /goform/stainfo endpoint, implying that any host with network reach to the router is potentially vulnerable.

Generated by OpenCVE AI on June 21, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check with Edimax for a firmware update that addresses the command injection flaw.
  • Configure the network firewall or router ACLs to restrict access to the /goform/stainfo endpoint, allowing only trusted management IPs.
  • Deploy a policy to block or deny all POST requests to /goform/stainfo until a patch is applied.
  • Monitor device logs for unexpected command executions or malformed POST requests and investigate any anomalies promptly.

Generated by OpenCVE AI on June 21, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Edimax BR-6478AC V2 1.23. This impacts the function stainfo of the file /goform/stainfo of the component POST Request Handler. This manipulation of the argument interface causes command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request stainfo command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T20:45:08.121Z

Reserved: 2026-06-21T04:19:56.381Z

Link: CVE-2026-12808

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T22:30:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')