Skip to main content

ELECOM wireless LAN access point EUVDEUVD-2026-29943

| CVE-2026-42950 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-05-13 jpcert GHSA-3f7h-8wg4-948w
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
May 13, 2026 - 15:52 NVD
4.3 (MEDIUM) 5.1 (MEDIUM)
Analysis Generated
May 13, 2026 - 13:16 vuln.today
CVE Published
May 13, 2026 - 12:02 nvd
MEDIUM 4.3

DescriptionCVE.org

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.

AnalysisAI

ELECOM wireless LAN access point models WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S fail to validate the language parameter in administrative pages, allowing remote attackers to break the admin interface for logged-in users via malicious web pages. The vulnerability requires user interaction (viewing a malicious page while authenticated to the access point) and results in denial of service of the administrative interface rather than data exposure or unauthorized access. No public exploit code has been identified at time of analysis.

Technical ContextAI

The vulnerability stems from improper input validation of the language parameter in ELECOM's web-based administrative interface for wireless LAN access point devices. The root cause is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions), indicating the application does not properly handle or validate language parameter values that fall outside the expected set of supported languages. When an attacker crafts a malicious web page containing an invalid language parameter value and a logged-in administrator views it, the parameter is processed without validation, corrupting the admin interface state and rendering it non-functional. The affected products (WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, WAB-BE36-S) are specific ELECOM wireless LAN access point models identified via CPE strings.

RemediationAI

ELECOM has released firmware updates to address this vulnerability. Administrators should update affected access point models to the patched firmware version available from the official ELECOM security advisory at https://www.elecom.co.jp/news/security/20260512-01/ and the Japanese vulnerability database entry at https://jvn.jp/en/jp/JVN03037325/. The firmware update should be applied through the device's web administration interface or via firmware upload mechanism provided by ELECOM. Pending firmware installation, administrators can mitigate the risk by restricting access to the administrative web interface to trusted networks only (using firewall rules or VPN access), ensuring the device is not directly exposed to untrusted users, and instructing administrators to avoid clicking links from untrusted sources while logged into the access point. The workarounds trade administrative convenience for reduced attack surface; full remediation requires the vendor-released patch.

Share

EUVD-2026-29943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy