Stored Cross-Site Scripting Vulnerability in ELECOM Wireless LAN Access Point
CVE-2026-42948

4.8MEDIUM

Key Information:

Vendor: Elecom Co.,ltd.
Status: Wab-be187-m; Wab-be72-m; Wab-be36-m; Wab-be36-s
Vendor: CVE Published:; 13 May 2026

🔔 Create Elecom Co.,ltd. Vulnerability Alert

What is CVE-2026-42948?

A stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices, which could allow an attacker to execute arbitrary scripts in the browsers of other administrative users. If an administrator inputs malicious data, this vulnerability can be exploited, leading to potential unauthorized access and manipulation of the device's settings. Administrators are advised to update their systems and implement security measures to mitigate the risk of this vulnerability.

Affected Version(s)

WAB-BE187-M v1.1.10 and earlier

WAB-BE36-M v1.1.3 and earlier

WAB-BE36-S v1.1.3 and earlier

References

https://www.elecom.co.jp/news/security/20260512-01/

https://jvn.jp/en/jp/JVN03037325/

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-42948 Data

JSON