CVE-2026-1971 is a cross-site scripting vulnerability affecting Edimax BR-6288ACL routers running firmware versions up to 1.12. The flaw exists in the wiz_WISP24gmanual.asp file, specifically within the wiz_WISP24gmanual function, where the manualssid parameter is not properly sanitized. This allows an attacker to craft a malicious URL that injects arbitrary JavaScript code, which executes in the context of the victim's browser when they access the vulnerable interface. The attack vector is remote and does not require prior authentication, but successful exploitation requires user interaction, such as clicking a malicious link. The vulnerability can lead to theft of sensitive information like session cookies or credentials, enabling further attacks such as session hijacking or unauthorized configuration changes. The vendor has declared the product end-of-life and has not released a patch, though a consolidated security advisory is forthcoming. The CVSS 4.0 score is 4.8 (medium severity), reflecting the moderate impact and exploitation complexity. No known exploits have been observed in the wild yet, but public disclosure increases the likelihood of exploitation attempts. The vulnerability affects a niche set of legacy devices, limiting its scope but posing risks to organizations still using these routers without mitigation.

The primary impact of this vulnerability is on the confidentiality and integrity of the affected systems. Successful exploitation allows attackers to execute arbitrary scripts in the context of the router's web interface, potentially stealing session tokens, credentials, or performing unauthorized actions on behalf of the user. This can lead to unauthorized access to router configuration, network traffic interception, or pivoting to internal network resources. Since the device is often used in small office or home office environments, compromised routers could serve as entry points for broader network attacks. The lack of vendor support and patches increases the risk for organizations that continue to use these devices, as they remain exposed to emerging exploit techniques. The medium CVSS score reflects the moderate ease of exploitation and limited scope, but the impact on network security posture can be significant if exploited. The absence of known exploits in the wild currently limits immediate widespread impact, but the public disclosure may lead to increased targeting.

Given the end-of-life status of the Edimax BR-6288ACL and absence of patches, organizations should prioritize device replacement with supported models that receive regular security updates. If immediate replacement is not feasible, network segmentation should be implemented to isolate the vulnerable device from critical assets and limit exposure. Disable remote management interfaces or restrict access to trusted IP addresses only. Employ web filtering or intrusion detection systems to detect and block suspicious URLs or payloads targeting the manualssid parameter. Educate users about the risks of clicking unsolicited links, especially those related to router management interfaces. Regularly audit network devices to identify legacy or unsupported hardware and develop a phased decommissioning plan. Monitor vendor communications for the forthcoming consolidated security advisory and apply any recommended mitigations promptly. Consider deploying network-level protections such as DNS filtering or proxy solutions to reduce the risk of successful exploitation.