Scan free
Pending AnalysisCVE-2026-42948

CVE-2026-42948: XSS in ELECOM WAB-BE187-M Access Point

Platform

other

Component

elecom-wab-be187-m

View on NVD
Save

A stored cross-site scripting (XSS) vulnerability has been identified in the ELECOM WAB-BE187-M Wireless LAN Access Point. This flaw allows an attacker, posing as an administrator, to inject malicious scripts that could be executed within the web browsers of other administrative users. The vulnerability affects devices running versions 1.1.3 through 1.1.10. A fix is pending, and mitigation strategies are recommended.

Impact and Attack Scenarios

Successful exploitation of this XSS vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of another administrator's session. This could lead to account takeover, data theft (including credentials and configuration information), and potentially, unauthorized access to the network. The attacker could leverage this access to modify settings, redirect traffic, or launch further attacks against internal systems. The blast radius extends to any administrative user who interacts with the affected access point's web interface after the malicious script has been injected.

Exploitation Context

The vulnerability was published on 2026-05-13. Currently, there are no publicly available proof-of-concept (POC) exploits. The vulnerability's severity is assessed as Medium. It is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Monitor security advisories and threat intelligence feeds for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N4.8MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentelecom-wab-be187-m
VendorELECOM CO.,LTD.
Minimum version1.1.3
Maximum versionv1.1.10 and earlier

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

Due to the lack of a patch, immediate mitigation focuses on limiting the potential impact. First, restrict administrative access to the WAB-BE187-M to only trusted personnel. Implement strict input validation and sanitization on all administrator input fields to prevent malicious script injection. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block suspicious requests. Monitor access point logs for unusual activity or attempts to inject scripts. After implementing these mitigations, verify their effectiveness by attempting to inject a benign script and confirming it is properly blocked.

How to fix

Actualice el firmware del dispositivo ELECOM WAB-BE187-M a una versión corregida. Consulte la página de soporte de ELECOM para obtener más información sobre las actualizaciones de firmware disponibles: https://www.elecom.co.jp/news/security/20260512-01/

Frequently asked questions

What is CVE-2026-42948 — XSS in ELECOM WAB-BE187-M?

CVE-2026-42948 is a stored cross-site scripting vulnerability affecting the ELECOM WAB-BE187-M Wireless LAN Access Point. An attacker can inject malicious scripts through administrator input, potentially executing them in other admin browsers.

Am I affected by CVE-2026-42948 in ELECOM WAB-BE187-M?

You are affected if you are using an ELECOM WAB-BE187-M Wireless LAN Access Point running versions 1.1.3 through 1.1.10. Check your device's firmware version to determine if you are vulnerable.

How do I fix CVE-2026-42948 in ELECOM WAB-BE187-M?

A patch is currently unavailable. Mitigate by restricting admin access, implementing input validation, using a WAF, and monitoring logs. Check the ELECOM website for updates.

Is CVE-2026-42948 being actively exploited?

Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-42948. However, the vulnerability remains present and could be exploited in the future.

Where can I find the official ELECOM advisory for CVE-2026-42948?

Refer to the ELECOM website for security advisories related to the WAB-BE187-M. Search for CVE-2026-42948 or related keywords on their support pages.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...