Skip to main content

Edimax EW-7478APC EUVDEUVD-2026-40071

| CVE-2026-13560 LOW
Command Injection (CWE-77)
2026-06-29 cna@vuldb.com GHSA-49rv-46ph-6jmv
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-accessible web interface with PR:L per CVSS 4.0; OS command injection on embedded Linux yields full C/I/A compromise.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 12:30 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Edimax EW-7478APC 1.04. The affected element is the function formAccept of the file /goform/formAccept of the component POST Request Handler. The manipulation of the argument submit-url leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OS command injection in Edimax EW-7478APC 1.04 allows a remote low-privileged attacker to execute arbitrary operating system commands by manipulating the submit-url parameter in POST requests to the /goform/formAccept endpoint. The vendor was notified prior to public disclosure but did not respond, leaving the vulnerability unpatched. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach web management interface over network
Delivery
Authenticate with low-privilege credentials
Exploit
Send crafted POST to /goform/formAccept
Execution
Inject shell commands via submit-url parameter
Impact
Execute arbitrary OS commands on device

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can reach the device's HTTP-based web management interface over the network (AV:N confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 score of 2.1 with low impact metrics (VC:L/VI:L/VA:L) conflicts sharply with the expected real-world impact of unauthenticated or low-privileged OS command injection on a networked embedded device, which routinely yields full root shell access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege access to the Edimax EW-7478APC web management interface sends a crafted HTTP POST request to /goform/formAccept with a malicious submit-url value containing shell metacharacters (e.g., semicolons or backticks) embedding arbitrary OS commands. The formAccept function passes the unsanitized parameter directly to a system call, executing the injected commands in the context of the web server process - likely root on this class of embedded device. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy