CVE-2026-42948

Vulnerability

Overview

CVE-2026-42948 is a stored cross-site scripting (XSS) vulnerability affecting multiple ELECOM wireless LAN access point models, including the WAB-BE187-M, WAB-BE72-M, WAB-BE36-M, and WAB-BE36-S models. The vulnerability arises because the device does not properly sanitize input from administrators; if one administrator submits malicious data, it is stored and later rendered in the web management interface of another administrative user, leading to script execution in the browser of the victim administrator [1].

Attack

Vector and Prerequisites

Exploitation requires that an authenticated administrator with access to the device's web management interface inputs crafted data. The attacker must have administrative credentials or be able to modify stored configuration or settings. The stored payload is then triggered when another administrator views the affected page, executing arbitrary JavaScript in the context of the management session [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of the victim administrator, such as modifying device settings, exfiltrating sensitive information, or further compromising the network. Since the attack is stored and targets the administrative interface, it can lead to persistent compromise of the device's configuration [1].

Mitigation

ELECOM has released firmware updates to address this vulnerability. Users should update their devices to the latest firmware versions as listed in the vendor advisory. No workarounds are provided; applying the patch is the recommended mitigation [1].