Which versions of Edimax BR-6478AC are affected by CVE-2026-10126?

Edimax BR-6478AC routers (version 1.23) contain a buffer overflow vulnerability in the web management interface that could allow attackers to compromise router firmware and gain unauthorized access…

Is there a public PoC exploit available for CVE-2026-10126?

Yes, a public proof-of-concept exploit is available for CVE-2026-10126. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-10126?

Within 24 hours: Inventory all Edimax BR-6478AC v1.23 devices and document their network locations and administrative access patterns. Within 7 days: Restrict web management interface access to whitelisted internal IP addresses only, disable remote management if currently enabled, and implement enhanced access logging on all affected devices. Within 30 days: Establish vendor monitoring process for Edimax security advisories and patch releases; develop and execute replacement strategy deploying alternative SOHO router products from vendors with active security patching programs.

Edimax BR-6478AC CVE-2026-10126

Q: What is the CVSS score of CVE-2026-10126?

CVE-2026-10126 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33469 HIGH

Classic Buffer Overflow (CWE-120)

2026-05-30 VulDB

GHSA-27vr-q2hh-fjhh

Buffer Overflow Br 6478Ac

7.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 30, 2026 - 17:28 vuln.today

v3 (cvss_changed)

Analysis Updated

May 30, 2026 - 17:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 30, 2026 - 17:22 vuln.today

cvss_changed

CVSS changed

May 30, 2026 - 17:22 NVD

8.8 (HIGH) 7.4 (HIGH)

Analysis Generated

May 30, 2026 - 17:15 vuln.today

DescriptionCVE.org

A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Buffer overflow in the Edimax BR-6478AC 1.23 router's web management interface allows remote attackers with low-level credentials to corrupt memory by sending an oversized selSSID parameter to the /goform/formQoS endpoint. Publicly available exploit code exists per VulDB, raising the practical risk despite the CVSS 4.0 base score of 7.4, though there is no public exploit identified at time of analysis in CISA KEV. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed BR-6478AC admin interface

Delivery

Obtain low-privilege web credentials

Exploit

Send crafted POST to /goform/formQoS

Install

Overflow buffer via oversized selSSID

Hijack httpd control flow as root

Execute

Persist via firmware/config modification

Impact

Pivot into internal LAN