Search criteria
7 vulnerabilities found for WAB-BE72-M by ELECOM CO.,LTD.
CVE-2026-42961 (GCVE-0-2026-42961)
Vulnerability from nvd – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:04
VLAI?
Summary
ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.
Severity ?
4.3 (Medium)
CWE
- CWE-344 - Use of Invariant Value in Dynamically Changing Context
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:03:53.658856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:04:39.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-344",
"description": "Use of Invariant Value in Dynamically Changing Context",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:22.642Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42961",
"datePublished": "2026-05-13T12:02:22.642Z",
"dateReserved": "2026-05-07T05:47:12.897Z",
"dateUpdated": "2026-05-13T15:04:39.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42950 (GCVE-0-2026-42950)
Vulnerability from nvd – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:05
VLAI?
Summary
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
Severity ?
4.3 (Medium)
CWE
- CWE-754 - Improper check for unusual or exceptional conditions
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:05:24.135095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:05:49.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user\u0027s web browser may become broken."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "Improper check for unusual or exceptional conditions",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:12.851Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42950",
"datePublished": "2026-05-13T12:02:12.851Z",
"dateReserved": "2026-05-07T05:47:10.836Z",
"dateUpdated": "2026-05-13T15:05:49.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42948 (GCVE-0-2026-42948)
Vulnerability from nvd – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:06
VLAI?
Summary
Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:06:22.585437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:06:33.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:03.914Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42948",
"datePublished": "2026-05-13T12:02:03.914Z",
"dateReserved": "2026-05-07T05:47:09.922Z",
"dateUpdated": "2026-05-13T15:06:33.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42961 (GCVE-0-2026-42961)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:04
VLAI?
Summary
ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.
Severity ?
4.3 (Medium)
CWE
- CWE-344 - Use of Invariant Value in Dynamically Changing Context
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:03:53.658856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:04:39.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-344",
"description": "Use of Invariant Value in Dynamically Changing Context",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:22.642Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42961",
"datePublished": "2026-05-13T12:02:22.642Z",
"dateReserved": "2026-05-07T05:47:12.897Z",
"dateUpdated": "2026-05-13T15:04:39.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42950 (GCVE-0-2026-42950)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:05
VLAI?
Summary
ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken.
Severity ?
4.3 (Medium)
CWE
- CWE-754 - Improper check for unusual or exceptional conditions
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:05:24.135095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:05:49.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user\u0027s web browser may become broken."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "Improper check for unusual or exceptional conditions",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:12.851Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42950",
"datePublished": "2026-05-13T12:02:12.851Z",
"dateReserved": "2026-05-07T05:47:10.836Z",
"dateUpdated": "2026-05-13T15:05:49.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42948 (GCVE-0-2026-42948)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:06
VLAI?
Summary
Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site scripting (XSS)
Assigner
References
2 references
Impacted products
4 products
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42948",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:06:22.585437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:06:33.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user\u0027s web browser."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross-site scripting (XSS)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:03.914Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42948",
"datePublished": "2026-05-13T12:02:03.914Z",
"dateReserved": "2026-05-07T05:47:09.922Z",
"dateUpdated": "2026-05-13T15:06:33.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
JVNDB-2026-000073
Vulnerability from jvndb - Published: 2026-05-12 15:16 - Updated:2026-05-12 15:16
Severity ?
Summary
Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)
Details
Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.
- Use of Hard-coded Cryptographic Key in creating backup of configuration files (CWE-321) - CVE-2026-25107
- OS command injection in processing of ping_ip_addr parameter (CWE-78) - CVE-2026-35506
- Missing authentication when accepting in specific URLs (CWE-288) - CVE-2026-40621
- OS command injection in processing of username parameter (CWE-78) - CVE-2026-42062
- Stored cross-site scripting due to inadequate hostname parameter handling (CWE-79) - CVE-2026-42948
- Missing Check for language parameter (CWE-754) - CVE-2026-42950
- Inadequate CSRF protection (CWE-344) - CVE-2026-42961
References
Impacted products
| Vendor | Product | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000073.html",
"dc:date": "2026-05-12T15:16+09:00",
"dcterms:issued": "2026-05-12T15:16+09:00",
"dcterms:modified": "2026-05-12T15:16+09:00",
"description": "Multiple wireless LAN routers and access points provided by ELECOM CO.,LTD. contain multiple vulnerabilities listed below.\u003ca href=\u0027https://cwe.mitre.org/data/definitions/321.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\r\n\u003ca href=\u0027https://cwe.mitre.org/data/definitions/288.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\r\n\u003ca href=\u0027https://cwe.mitre.org/data/definitions/78.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\r\n\u003ca href=\u0027https://cwe.mitre.org/data/definitions/79.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/754.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003ca href=\u0027https://cwe.mitre.org/data/definitions/344.html\u0027 target=\u0027_blank\u0027\u003e\u003c/a\u003e\u003cul\u003e\u003cli\u003eUse of Hard-coded Cryptographic Key in creating backup of configuration files (CWE-321) - CVE-2026-25107\u003c/li\u003e\u003cli\u003eOS command injection in processing of ping_ip_addr parameter (CWE-78) - CVE-2026-35506\u003c/li\u003e\u003cli\u003eMissing authentication when accepting in specific URLs (CWE-288) - CVE-2026-40621\u003c/li\u003e\u003cli\u003eOS command injection in processing of username parameter (CWE-78) - CVE-2026-42062\u003c/li\u003e\u003cli\u003eStored cross-site scripting due to inadequate hostname parameter handling (CWE-79) - CVE-2026-42948\u003c/li\u003e\u003cli\u003eMissing Check for language parameter (CWE-754) - CVE-2026-42950\u003c/li\u003e\u003cli\u003eInadequate CSRF protection (CWE-344) - CVE-2026-42961\u003c/li\u003e\u003c/ul\u003eThe vulnerabilities are reported from the following people, and JPCERT/CC coordinated with the developer.\r\n\r\nCVE-2026-25107, CVE-2026-42950, CVE-2026-42961\r\nKentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.\r\n\r\nCVE-2026-42948\r\nSato Nobuhiro of Suzuki Motor Corporation, Futamata Keisuke of University Of Fukui, Takahashi Natsuki of Shizuoka University, Sasaki Miyu of Waseda University reported this vulnerability to IPA.\r\n\r\nCVE-2026-35506, CVE-2026-40621, CVE-2026-42062\r\nChuya Hayakawa of 00One, Inc. reported these vulnerabilities to JPCERT/CC.",
"link": "https://jvndb.jvn.jp/en/contents/2026/JVNDB-2026-000073.html",
"sec:cpe": [
{
"#text": "cpe:/o:elecom:wab-be187-m",
"@product": "WAB-BE187-M",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wab-be36-m",
"@product": "WAB-BE36-M",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wab-be36-s",
"@product": "WAB-BE36-S",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wab-be72-m",
"@product": "WAB-BE72-M",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-be65qsd-b",
"@product": "WRC-BE65QSD-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-be72xsd-b",
"@product": "WRC-BE72XSD-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-be72xsd-ba",
"@product": "WRC-BE72XSD-BA",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-w702-b",
"@product": "WRC-W702-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x1800gs-b_firmware",
"@product": "WRC-X1800GS-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x1800gsa-b_firmware",
"@product": "WRC-X1800GSA-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x1800gsh-b_firmware",
"@product": "WRC-X1800GSH-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x3000gs2-b",
"@product": "WRC-X3000GS2-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x3000gs2-w",
"@product": "WRC-X3000GS2-W",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x3000gs2a-b",
"@product": "WRC-X3000GS2A-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x3000gst2-b",
"@product": "WRC-X3000GST2-B",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x6000qs-g",
"@product": "WRC-X6000QS-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x6000qsa-g",
"@product": "WRC-X6000QSA-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x6000xs-g_firmware",
"@product": "WRC-X6000XS-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-x6000xst-g_firmware",
"@product": "WRC-X6000XST-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-xe5400gs-g",
"@product": "WRC-XE5400GS-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
},
{
"#text": "cpe:/o:elecom:wrc-xe5400gsa-g",
"@product": "WRC-XE5400GSA-G",
"@vendor": "ELECOM CO.,LTD.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "9.8",
"@severity": "Critical",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2026-000073",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN03037325/index.html",
"@id": "JVN#03037325",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-25107",
"@id": "CVE-2026-25107",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-35506",
"@id": "CVE-2026-35506",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-40621",
"@id": "CVE-2026-40621",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-42062",
"@id": "CVE-2026-42062",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-42948",
"@id": "CVE-2026-42948",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-42950",
"@id": "CVE-2026-42950",
"@source": "CVE"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2026-42961",
"@id": "CVE-2026-42961",
"@source": "CVE"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-78",
"@title": "OS Command Injection(CWE-78)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Multiple vulnerabilities in ELECOM wireless LAN routers and access points (May 2026)"
}