A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
PUBLISHED5.2Operating systemCWE-77CWE-74
Edimax BR-6478AC POST Request formStaDrvSetup command injection
Problem type
Affected products
Edimax
BR-6478AC
1.23 - AFFECTED
References
VDB-367304 | Edimax BR-6478AC POST Request formStaDrvSetup command injection
https://vuldb.com/vuln/367304
VDB-367304 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/367304/cti
Submit #818455 | Edimax BR6478ACV2 BR6478ACV2_v1.23 Command Injection
https://vuldb.com/submit/818455
lavender-bicycle-a5a.notion.site
https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formStaDrvSetup-34b53a41781f80ce9e66dbf60c71b960?source=copy_link
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-10127Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-10127",
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"dateUpdated": "2026-05-30T16:30:08.799Z",
"dateReserved": "2026-05-29T17:24:36.552Z",
"datePublished": "2026-05-30T16:30:08.799Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB",
"dateUpdated": "2026-05-30T16:30:08.799Z"
},
"title": "Edimax BR-6478AC POST Request formStaDrvSetup command injection",
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks."
}
],
"affected": [
{
"vendor": "Edimax",
"product": "BR-6478AC",
"cpes": [
"cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"POST Request Handler"
],
"versions": [
{
"version": "1.23",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Command Injection",
"cweId": "CWE-77",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "Injection",
"cweId": "CWE-74",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://vuldb.com/vuln/367304",
"name": "VDB-367304 | Edimax BR-6478AC POST Request formStaDrvSetup command injection",
"tags": [
"vdb-entry",
"technical-description"
]
},
{
"url": "https://vuldb.com/vuln/367304/cti",
"name": "VDB-367304 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
]
},
{
"url": "https://vuldb.com/submit/818455",
"name": "Submit #818455 | Edimax BR6478ACV2 BR6478ACV2_v1.23 Command Injection",
"tags": [
"third-party-advisory"
]
},
{
"url": "https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formStaDrvSetup-34b53a41781f80ce9e66dbf60c71b960?source=copy_link",
"tags": [
"exploit"
]
}
],
"metrics": [
{},
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV3_0": {
"version": "3.0",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"baseScore": 6.3,
"baseSeverity": "MEDIUM"
}
},
{
"cvssV2_0": {
"version": "2.0",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"baseScore": 6.5
}
}
],
"timeline": [
{
"time": "2026-05-29T00:00:00.000Z",
"lang": "en",
"value": "Advisory disclosed"
},
{
"time": "2026-05-29T02:00:00.000Z",
"lang": "en",
"value": "VulDB entry created"
},
{
"time": "2026-05-29T19:29:45.000Z",
"lang": "en",
"value": "VulDB entry last update"
}
],
"credits": [
{
"lang": "en",
"value": "wxhwxhwxh_mie (VulDB User)",
"type": "reporter"
}
]
}
}
}