Description
A security vulnerability has been detected in Edimax EW-7478APC 1.04. The affected element is the function formAccept of the file /goform/formAccept of the component POST Request Handler. The manipulation of the argument submit-url leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is located in the formAccept function within the /goform/formAccept endpoint of Edimax EW‑7478 By manipulating the submit‑url parameter, an attacker can inject operating‑system commands. Successful exploitation allows arbitrary OS command execution on the device. The description confirms that this vulnerability can be abused remotely via HTTP POST requests and that the exploit has been publicly disclosed.

Affected Systems

The only affected product identified is the Edimax EW‑7478APC wireless access point running firmware version 1.04. No other affected versions are listed, and the vendor did not respond to the disclosure.

Risk and Exploitability

The CVSS score of 5.3 denotes a moderate impact. The EPSS score is 1%, and the vulnerability is not listed in the CISA KEV catalog, implying date. The attack vector is a web‑based POST request that can be performed remotely, meaning the device can be targeted from any network with access to the vulnerable endpoint. The presence of CWE‑77 and CWE‑78 weaknesses underlines that uncontrolled command execution is possible if the submit‑url argument is not properly sanitized.

Generated by OpenCVE AI on June 30, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or disable the /goform/formAccept endpoint from unauthenticated access. If remote management is required, limit it to trusted IP command injection flaw when it becomes available.
  • Deploy firewall rules that block any HTTP POST request to the /goform/formAccept endpoint from all sources except the management network.
  • Consider removing the submit‑url parameter from the form or disabling the formAccept functionality if the device does not need this feature.

Generated by OpenCVE AI on June 30, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Edimax EW-7478APC 1.04. The affected element is the function formAccept of the file /goform/formAccept of the component POST Request Handler. The manipulation of the argument submit-url leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7478APC POST Request formAccept os command injection
First Time appeared Edimax
Edimax ew-7478apc
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:edimax:ew-7478apc:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7478apc
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7478apc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-30T15:39:24.726Z

Reserved: 2026-06-28T16:12:47.853Z

Link: CVE-2026-13560

cve-icon Vulnrichment

Updated: 2026-06-30T15:39:20.524Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:45:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')