CVE-2026-35506 | THREATINT

Description

ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter. If processing a crafted request sent by a logged-in user, an arbitrary OS command may be executed.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-13 | Updated 2026-05-13 | Assigner jpcert

HIGH: 7.2CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

Improper neutralization of special elements used in an OS command ('OS Command Injection')

Product status

v1.1.1 and earlier

affected

v1.1.1 and earlier

affected

v1.1.0 and earlier

affected

v1.1.0 and earlier

affected

References

www.elecom.co.jp/news/security/20260512-01/

jvn.jp/en/jp/JVN03037325/

cve.org (CVE-2026-35506)

nvd.nist.gov (CVE-2026-35506)

Download JSON