CVE-2026-1971 identifies a cross-site scripting vulnerability in the Edimax BR-6288ACL router firmware up to version 1.12. The vulnerability resides in the wiz_WISP24gmanual.asp web interface file, specifically within the wiz_WISP24gmanual function. The manualssid parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript code. This XSS flaw can be exploited remotely without authentication, but requires user interaction, such as tricking a user into visiting a maliciously crafted URL. Successful exploitation could enable attackers to execute scripts in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or other malicious actions within the router’s web management interface. The vendor has declared the product end-of-life and has not released patches, though a consolidated security advisory is planned. The CVSS 4.0 score is 4.8 (medium), reflecting the low complexity of attack but limited impact due to required user interaction and lack of privilege escalation. No known exploits are currently active in the wild, but public disclosure increases the likelihood of future exploitation. The vulnerability primarily affects home and small office environments using this specific Edimax router model. Given the lack of vendor support, affected devices remain vulnerable unless replaced or mitigated through network controls.

For European organizations, the impact of CVE-2026-1971 is primarily on confidentiality and integrity of data accessed through the router’s web interface. Attackers exploiting this XSS vulnerability could hijack administrative sessions or steal sensitive configuration data, potentially leading to further network compromise. Although the vulnerability does not directly affect availability, compromised routers could be leveraged for lateral movement or as a foothold for broader attacks. The risk is heightened in environments where these routers are used to manage critical network segments or where remote management is enabled. Small and medium enterprises (SMEs) and home office users in Europe relying on the Edimax BR-6288ACL are particularly vulnerable due to the end-of-life status and lack of patches. The medium severity rating reflects the moderate impact balanced against the need for user interaction and the absence of privilege escalation. However, the public disclosure and exploit availability could increase attack attempts, especially targeting less security-aware users or organizations with limited IT resources.

Given the lack of vendor patches for this end-of-life product, European organizations should prioritize the following mitigations: 1) Replace affected Edimax BR-6288ACL routers with currently supported models that receive security updates. 2) Disable remote management interfaces to reduce exposure to remote attacks. 3) Implement network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data. 4) Employ web filtering or intrusion detection systems to block or alert on suspicious URLs or payloads targeting the manualssid parameter. 5) Educate users about the risks of clicking unknown or suspicious links to reduce the likelihood of successful user interaction-based attacks. 6) Regularly audit network devices to identify and inventory end-of-life hardware and prioritize their replacement. 7) Monitor vendor advisories and threat intelligence feeds for any emerging exploits or mitigation guidance. These steps go beyond generic advice by focusing on compensating controls and proactive device lifecycle management tailored to this specific vulnerability and product status.