{"api_version":"1","generated_at":"2026-05-30T14:00:48+00:00","cve":"CVE-2026-42948","urls":{"html":"https://cve.report/CVE-2026-42948","api":"https://cve.report/api/cve/CVE-2026-42948.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42948","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42948"},"summary":{"title":"CVE-2026-42948","description":"Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.","state":"PUBLISHED","assigner":"jpcert","published_at":"2026-05-13 13:16:44","updated_at":"2026-05-13 15:47:10"},"problem_types":["CWE-79","CWE-79 Cross-site scripting (XSS)"],"metrics":[{"version":"4.0","source":"vultures@jpcert.or.jp","type":"Secondary","score":"4.8","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"4.8","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","data":{"baseScore":4.8,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0"}},{"version":"3.0","source":"vultures@jpcert.or.jp","type":"Secondary","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.0","source":"CNA","type":"CVSS","score":"4.8","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","data":{"baseScore":4.8,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","version":"3.0"}}],"references":[{"url":"https://www.elecom.co.jp/news/security/20260512-01/","name":"https://www.elecom.co.jp/news/security/20260512-01/","refsource":"vultures@jpcert.or.jp","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://jvn.jp/en/jp/JVN03037325/","name":"https://jvn.jp/en/jp/JVN03037325/","refsource":"vultures@jpcert.or.jp","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42948","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42948","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ELECOM CO.,LTD.","product":"WAB-BE187-M","version":"affected v1.1.10 and earlier","platforms":[]},{"source":"CNA","vendor":"ELECOM CO.,LTD.","product":"WAB-BE72-M","version":"affected v1.1.3 and earlier","platforms":[]},{"source":"CNA","vendor":"ELECOM CO.,LTD.","product":"WAB-BE36-M","version":"affected v1.1.3 and earlier","platforms":[]},{"source":"CNA","vendor":"ELECOM CO.,LTD.","product":"WAB-BE36-S","version":"affected v1.1.3 and earlier","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"42948","cve":"CVE-2026-42948","epss":"0.000310000","percentile":"0.090810000","score_date":"2026-05-20","updated_at":"2026-05-21 00:09:24"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-42948","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-13T15:06:22.585437Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-13T15:06:33.320Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"WAB-BE187-M","vendor":"ELECOM CO.,LTD.","versions":[{"status":"affected","version":"v1.1.10 and earlier"}]},{"product":"WAB-BE72-M","vendor":"ELECOM CO.,LTD.","versions":[{"status":"affected","version":"v1.1.3 and earlier"}]},{"product":"WAB-BE36-M","vendor":"ELECOM CO.,LTD.","versions":[{"status":"affected","version":"v1.1.3 and earlier"}]},{"product":"WAB-BE36-S","vendor":"ELECOM CO.,LTD.","versions":[{"status":"affected","version":"v1.1.3 and earlier"}]}],"descriptions":[{"lang":"en","value":"Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser."}],"metrics":[{"cvssV3_0":{"baseScore":4.8,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","version":"3.0"},"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}]},{"cvssV4_0":{"baseScore":4.8,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","version":"4.0"},"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"Cross-site scripting (XSS)","lang":"en-US","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-13T12:02:03.914Z","orgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","shortName":"jpcert"},"references":[{"url":"https://www.elecom.co.jp/news/security/20260512-01/"},{"url":"https://jvn.jp/en/jp/JVN03037325/"}]}},"cveMetadata":{"assignerOrgId":"ede6fdc4-6654-4307-a26d-3331c018e2ce","assignerShortName":"jpcert","cveId":"CVE-2026-42948","datePublished":"2026-05-13T12:02:03.914Z","dateReserved":"2026-05-07T05:47:09.922Z","dateUpdated":"2026-05-13T15:06:33.320Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-13 13:16:44","lastModifiedDate":"2026-05-13 15:47:10","problem_types":["CWE-79","CWE-79 Cross-site scripting (XSS)"],"metrics":{"cvssMetricV40":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV30":[{"source":"vultures@jpcert.or.jp","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42948","Ordinal":"1","Title":"CVE-2026-42948","CVE":"CVE-2026-42948","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42948","Ordinal":"1","NoteData":"Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices. If one of the administrators input malicious data, an arbitrary script may be executed in another administrative user's web browser.","Type":"Description","Title":"CVE-2026-42948"}]}}}