CVE-2026-32840
MEDIUMEdimax GS-5008PL <= 1.00.54 Stored XSS via Device Name
Title source: cnaDescription
Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script payload that executes when management pages including system_data.js are viewed by administrators.
References (3)
Core 3
Core References
Product product
https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/us/smb_legacy_switches/gs-5008pl/
Product product
https://www.edimax.com/edimax/merchandise/merchandise_list/data/edimax/us/smb_legacy_products/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/edimax-gs-5008pl-stored-xss-via-device-name
Scores
CVSS v3
5.4
EPSS
0.0022
EPSS Percentile
11.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
edimax/gs-5008pl_firmware
< 1.00.54
EDIMAX Technology Co., Ltd./Edimax GS-5008PL
< 1.0.54
EDIMAX Technology Co., Ltd./Edimax GS-5008PL
< 1.00.54
Published
Mar 17, 2026
Tracked Since
Mar 18, 2026