Description
Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script payload that executes when management pages including system_data.js are viewed by administrators.
Published: 2026-03-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Upgrade Firmware
AI Analysis

Impact

A stored cross‑site scripting (XSS) flaw exists in Edimax GS‑5008PL firmware versions 1.00.54 and earlier. The flaw allows an attacker to send a crafted POST request that sets the sysName parameter to a value containing JavaScript. When a management page that loads system_data.js is subsequently viewed by an administrator, the malicious script is executed in the browser context, giving the attacker the same privileges as the page viewer. Based on the description, it is inferred that an attacker with administrator view access could hijack the session, steal credentials, or alter configuration data.

Affected Systems

The impacted vendor is Edimax Technology Co., Ltd. The product affected is the Edimax GS‑5008PL switch. All firmware builds version 1.00.54 and earlier are eligible for the vulnerability as indicated by the vendor’s product listings and the CPE strings that reference the device and its firmware.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to send a crafted POST request to the device’s web interface. The description does not state whether authentication is required; based on typical web‑interface behavior, it is inferred that the attacker must be able to reach the management port, which could be exposed over a local or public network. The attack vector is therefore likely local network or remote if the management interface is externally accessible. The overall risk is moderate, but it could become severe in environments where the switch’s web interface is reachable from untrusted networks or the device is widely shared among administrators.

Generated by OpenCVE AI on March 19, 2026 at 16:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a firmware upgrade that is newer than version 1.00.54.
  • If a firmware upgrade cannot be performed immediately, restrict access to the device’s web‑interface to trusted administrators and isolate the switch on a secure internal network.
  • After remediation, verify that the sysName field no longer accepts arbitrary script and that no injected scripts execute when administrative pages are loaded.

Generated by OpenCVE AI on March 19, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Edimax
Edimax gs-5008pl
Edimax gs-5008pl Firmware
CPEs cpe:2.3:h:edimax:gs-5008pl:-:*:*:*:*:*:*:*
cpe:2.3:o:edimax:gs-5008pl_firmware:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax gs-5008pl
Edimax gs-5008pl Firmware

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Edimax Technology
Edimax Technology edimax Gs-5008pl
Vendors & Products Edimax Technology
Edimax Technology edimax Gs-5008pl

Tue, 17 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 17 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script payload that executes when management pages including system_data.js are viewed by administrators.
Title Edimax GS-5008PL <= 1.00.54 Stored XSS via Device Name
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Edimax Gs-5008pl Gs-5008pl Firmware
Edimax Technology Edimax Gs-5008pl
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-18T20:09:56.986Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32840

cve-icon Vulnrichment

Updated: 2026-03-18T20:09:54.448Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T22:16:14.850

Modified: 2026-03-19T14:04:08.787

Link: CVE-2026-32840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:35Z

Weaknesses