Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
AnalysisAI
ELECOM wireless LAN access point models WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S fail to validate the language parameter in administrative pages, allowing remote attackers to break the admin interface for logged-in users via malicious web pages. The vulnerability requires user interaction (viewing a malicious page while authenticated to the access point) and results in denial of service of the administrative interface rather than data exposure or unauthorized access. No public exploit code has been identified at time of analysis.
Technical ContextAI
The vulnerability stems from improper input validation of the language parameter in ELECOM's web-based administrative interface for wireless LAN access point devices. The root cause is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), indicating the application does not properly handle or validate language parameter values that fall outside the expected set of supported languages. When an attacker crafts a malicious web page containing an invalid language parameter value and a logged-in administrator views it, the parameter is processed without validation, corrupting the admin interface state and rendering it non-functional. The affected products (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) are specific ELECOM wireless LAN access point models identified via CPE strings.
RemediationAI
ELECOM has released firmware updates to address this vulnerability. Administrators should update affected access point models to the patched firmware version available from the official ELECOM security advisory at https://www.elecom.co.jp/news/security/20260512-01/ and the Japanese vulnerability database entry at https://jvn.jp/en/jp/JVN03037325/. The firmware update should be applied through the device's web administration interface or via firmware upload mechanism provided by ELECOM. Pending firmware installation, administrators can mitigate the risk by restricting access to the administrative web interface to trusted networks only (using firewall rules or VPN access), ensuring the device is not directly exposed to untrusted users, and instructing administrators to avoid clicking links from untrusted sources while logged into the access point. The workarounds trade administrative convenience for reduced attack surface; full remediation requires the vendor-released patch.
More in Wab Be187 M
View allCross-site request forgery (CSRF) in ELECOM wireless LAN access points (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S)
Stored cross-site scripting vulnerability in ELECOM wireless LAN access point devices (WAB-BE187-M, WAB-BE72-M, WAB-BE36
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29943
GHSA-3f7h-8wg4-948w