CVE-2026-36604
CVE-2026-36604
In short
This router doesn't check where requests come from, allowing attackers to trick your browser into sending commands to your router from a malicious website. The router's overly permissive security settings make this possible.
Technical detail
The Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 fails to validate HTTP Host headers, enabling DNS rebinding attacks. Combined with CORS misconfiguration (Access-Control-Allow-Origin: *), an external attacker can exploit this via cross-origin requests from a malicious domain that resolves to the router's internal IP, potentially leading to unauthorized configuration changes or information disclosure.
Summary generated and translated by AI from the official description.
Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →