Description
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
Published: 2026-05-13
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ELECOM wireless LAN access point devices do not validate the language parameter supplied to the web interface. If an authenticated user inadvertently visits a malicious web page, the language value can corrupt the admin page rendered in the browser, leaving the interface broken and unusable. This failure does not disclose data or allow code execution but effectively renders the management console inaccessible until the page is refreshed or the user logs out.

Affected Systems

Affected products include ELECOM CO.,LTD. wireless LAN access points WAB-BE187-M, WAB-BE36-M, WAB-BE36-S, and WAB-BE72-M. No specific firmware version information is provided in the advisory, so all current and past revisions of these models are potentially impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known exploited instances. The likely attack vector is client‑side: an authenticated user must be logged into the admin interface and then visit a malicious web page that supplies an invalid language parameter. Because the flaw does not provide direct control over the device, exploitation requires user interaction, but the resulting denial of service can disrupt management and maintenance operations.

Generated by OpenCVE AI on May 13, 2026 at 14:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the firmware for the WAB‑BE1xx and WAB‑BE72‑M models to the latest release from Elecom.
  • Limit access to the admin interface while browsing external sites by logging out or using separate management tools.
  • Separate the management VLAN from user traffic to reduce the chance that compromised users can reach the admin interface.

Generated by OpenCVE AI on May 13, 2026 at 14:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 14:30:00 +0000

Type Values Removed Values Added
Title Elecom Wireless LAN Access Point Language Parameter Validation Failure Causing Admin Page Breakage

Wed, 13 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
Weaknesses CWE-754
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-13T15:05:49.437Z

Reserved: 2026-05-07T05:47:10.836Z

Link: CVE-2026-42950

cve-icon Vulnrichment

Updated: 2026-05-13T15:05:43.216Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:16:44.200

Modified: 2026-05-13T15:47:10.327

Link: CVE-2026-42950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T14:30:36Z

Weaknesses