Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible web interface with PR:L per CVSS 4.0; OS command injection on embedded Linux yields full C/I/A compromise.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Edimax EW-7478APC 1.04. The affected element is the function formAccept of the file /goform/formAccept of the component POST Request Handler. The manipulation of the argument submit-url leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OS command injection in Edimax EW-7478APC 1.04 allows a remote low-privileged attacker to execute arbitrary operating system commands by manipulating the submit-url parameter in POST requests to the /goform/formAccept endpoint. The vendor was notified prior to public disclosure but did not respond, leaving the vulnerability unpatched. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can reach the device's HTTP-based web management interface over the network (AV:N confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 score of 2.1 with low impact metrics (VC:L/VI:L/VA:L) conflicts sharply with the expected real-world impact of unauthenticated or low-privileged OS command injection on a networked embedded device, which routinely yields full root shell access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege access to the Edimax EW-7478APC web management interface sends a crafted HTTP POST request to /goform/formAccept with a malicious submit-url value containing shell metacharacters (e.g., semicolons or backticks) embedding arbitrary OS commands. The formAccept function passes the unsanitized parameter directly to a system call, executing the injected commands in the context of the web server process - likely root on this class of embedded device. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40071
GHSA-49rv-46ph-6jmv