CVE-2026-12807 | Edimax BR-6478AC V2 1.23 POST Request /goform/setWAN pppUserName/pptpUserName/L2TPUserName command injection

A vulnerability was found in Edimax BR-6478AC V2 1.23 and classified as critical. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection.

This vulnerability is known as CVE-2026-12807. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-12807 | Edimax BR-6478AC V2 1.23 POST Request /goform/setWAN pppUserName/pptpUserName/L2TPUserName command injection

Post correlati

CVE-2026-26829 | owntone-server up to c4d57aa src/misc.c safe_atou64 null pointer dereference

CVE-2025-67111 | OpenDDS up to 3.32.x RTPS Protocol integer overflow

CVE-2025-0882 | code-projects Chat System up to 1.0 /user/addnewmember.php user sql injection

CVE-2025-5605 | WSO2 Identity Server Management Console information disclosure