Description
Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.
Published: 2026-05-13
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ELECOM wireless LAN access point devices contain a stored cross‑site scripting flaw in their administrative web interface. When an administrator enters malicious data, that data is stored and later executed in the web browser of another administrator who visits the same page, allowing arbitrary client‑side code execution, phishing, or credential theft. The issue has a CVSS score of 4.8, indicating moderate severity, and no EPSS data is available.

Affected Systems

The affected devices are ELECOM CO.,LTD. wireless access points models WAB‑BE187‑M, WAB‑BE36‑M, WAB‑BE36‑S, and WAB‑BE72‑M. No specific firmware or version details are supplied.

Risk and Exploitability

The vulnerability is reachable through the local or internal network where the administrative interface is accessible. Exploitation requires an authenticated or associated administrator to be logged in or to have the ability to reach the admin interface. The CVSS score of 4.8 reflects moderate impact; the absence of an EPSS score and its non‑listing in CISA KEV suggest limited known exploitation activity.

Generated by OpenCVE AI on May 13, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to the latest ELECOM release that addresses the stored XSS flaw
  • Restrict access to the administrative web interface, for example by limiting to trusted IP addresses or segregating the management network
  • Implement a content security policy or deploy a web application firewall rule that blocks the execution of injected scripts

Generated by OpenCVE AI on May 13, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Elecom
Elecom wab-be187-m
Elecom wab-be36-m
Elecom wab-be36-s
Elecom wab-be72-m
Vendors & Products Elecom
Elecom wab-be187-m
Elecom wab-be36-m
Elecom wab-be36-s
Elecom wab-be72-m

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Stored XSS Vulnerability in ELECOM Wireless Access Point Administration Interface

Wed, 13 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 4.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Elecom Wab-be187-m Wab-be36-m Wab-be36-s Wab-be72-m
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-13T15:06:33.320Z

Reserved: 2026-05-07T05:47:09.922Z

Link: CVE-2026-42948

cve-icon Vulnrichment

Updated: 2026-05-13T15:06:27.116Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:16:44.063

Modified: 2026-05-13T15:47:10.327

Link: CVE-2026-42948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:01Z

Weaknesses