A vulnerability was found in Edimax BR-6478AC V2 1.23 . It has been declared as critical . Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler . Such manipulation of the argument newpass leads to command injection. This vulnerability is uniquely identified as CVE-2026-12809 . The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.