CVE-2026-36604EPSS p16.5%

CVE-2026-36604CVE-2026-36604

Description

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks.

Scoring

CVSS 6.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS0.25% probability of exploitation · percentile 16.5% · 2026-06-19T12:03:05Z
Last modified2026-06-04

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-36605
CVE
CVE-2026-36618
CVE
CVE-2026-36608
CVE
CVE-2026-36603
CVE
CVE-2026-36613
CVE
CVE-2026-36615
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.