Skip to main content

Edimax BR-6478AC CVE-2026-10166

| EUVD-2026-33486 LOW
Command Injection (CWE-77)
2026-05-31 VulDB GHSA-xrc6-7rx8-67xr
Command Injection Br 6478Ac
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 31, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
May 31, 2026 - 04:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 31, 2026 - 03:44 vuln.today

DescriptionCVE.org

A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

Command injection in Edimax BR-6478AC firmware 1.23 allows a remotely authenticated attacker to execute arbitrary OS commands by manipulating the rootAPmac parameter in a POST request to the /goform/formWlbasic endpoint. The vulnerable function formWlbasic passes unsanitized input directly to a system-level command, a pattern common in consumer embedded router firmware. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege web interface credentials
Delivery
Send crafted POST request to /goform/formWlbasic
Exploit
Inject shell metacharacters into rootAPmac parameter
Execution
Trigger unsanitized system command execution
Impact
Execute arbitrary OS commands on router
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold at least low-privilege authentication to the Edimax BR-6478AC web management interface, as confirmed by the CVSS vector PR:L - unauthenticated exploitation is not supported by available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L indicates network-accessible exploitation requiring only low-privilege authentication, low attack complexity, and no user interaction, with partial impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials to the Edimax BR-6478AC web interface - through credential stuffing, default credentials, or prior compromise - submits a crafted HTTP POST request to `/goform/formWlbasic` with a `rootAPmac` value containing shell metacharacters such as a semicolon followed by a reverse shell command. The router's web server passes the unsanitized value to a system-level call, executing the injected command in the context of the web server process, which on many embedded devices runs as root. …
Remediation No vendor-released patch has been identified at time of analysis for Edimax BR-6478AC. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10166 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy