Skip to main content

ELECOM Wireless LAN Access Point CVE-2026-42948

| EUVDEUVD-2026-29942 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-13 jpcert GHSA-2xgj-qg94-hr45
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 13, 2026 - 13:16 vuln.today
CVE Published
May 13, 2026 - 12:02 nvd
MEDIUM 4.8

DescriptionCVE.org

Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.

AnalysisAI

Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) allows authenticated administrators to inject malicious scripts that execute in other administrators' web browsers when they access the device management interface. Exploitation requires high-privilege administrative credentials and user interaction (victim must visit the admin panel), limiting real-world risk despite network-accessible attack surface.

Technical ContextAI

This is a CWE-79 stored (persistent) cross-site scripting vulnerability in the device's web-based administration interface. ELECOM access points provide network management functions through an HTTP/HTTPS web portal; the vulnerability exists because the device fails to properly sanitize or encode user-supplied input from one administrator before storing and displaying it to other administrators. The attack vector is network-based (AV:N) but requires high-privilege credentials (PR:H) and relies on rendering of unsanitized data in a browser context, making this a client-side injection attack rather than server-side code execution. The scope is changed (S:C), indicating the vulnerability can affect other users beyond the authenticated administrator.

RemediationAI

Consult ELECOM's official security advisory at https://www.elecom.co.jp/news/security/20260512-01/ for firmware update availability and exact patched versions for each model (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S). If patches are available, upgrade firmware to the latest version specified by ELECOM. As a compensating control pending patch availability, restrict administrative web interface access to trusted internal networks only using network ACLs or firewall rules, preventing untrusted administrators from accessing the device. Additionally, disable or restrict administrative interface access from the internet (disable remote management if supported) and implement strong access controls to limit the number of accounts with high-privilege administrative rights. Monitor access logs for suspicious administrative activity or unexpected configuration changes. These controls reduce attack surface but do not eliminate the vulnerability if multiple trusted administrators are required to co-manage the device.

Share

CVE-2026-42948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy