{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9441", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-05-24T07:25:56.032Z", "datePublished": "2026-05-25T08:15:09.211Z", "dateUpdated": "2026-05-26T16:00:18.869Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-05-25T08:15:09.211Z" }, "title": "Edimax BR-6478AC POST Request formiNICbasic command injection", "problemTypes": [ { "descriptions": [ { "type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection" } ] }, { "descriptions": [ { "type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection" } ] } ], "affected": [ { "vendor": "Edimax", "product": "BR-6478AC", "versions": [ { "version": "1.23", "status": "affected" } ], "cpes": [ "cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*" ], "modules": [ "POST Request Handler" ] } ], "descriptions": [ { "lang": "en", "value": "A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. Performing a manipulation of the argument rootAPmac results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way." } ], "metrics": [ { "cvssV4_0": { "version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM" } }, { "cvssV3_1": { "version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM" } }, { "cvssV3_0": { "version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM" } }, { "cvssV2_0": { "version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR" } } ], "timeline": [ { "time": "2026-05-24T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed" }, { "time": "2026-05-24T02:00:00.000Z", "lang": "en", "value": "VulDB entry created" }, { "time": "2026-05-24T09:31:17.000Z", "lang": "en", "value": "VulDB entry last update" } ], "credits": [ { "lang": "en", "value": "wxhwxhwxh_mie (VulDB User)", "type": "reporter" }, { "lang": "en", "value": "VulDB CNA Team", "type": "coordinator" } ], "references": [ { "url": "https://vuldb.com/vuln/365422", "name": "VDB-365422 | Edimax BR-6478AC POST Request formiNICbasic command injection", "tags": [ "vdb-entry", "technical-description" ] }, { "url": "https://vuldb.com/vuln/365422/cti", "name": "VDB-365422 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ] }, { "url": "https://vuldb.com/submit/818450", "name": "Submit #818450 | Edimax BR6478ACV2 BR6478ACV2_v1.23 Command Injection", "tags": [ "third-party-advisory" ] }, { "url": "https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formiNICbasic-34b53a41781f808bbc45e8ca54f93dd1?source=copy_link", "tags": [ "exploit" ] } ] }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-26T16:00:13.213954Z", "id": "CVE-2026-9441", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-26T16:00:18.869Z" } } ] } }