GCVE - cpe:2.3:o:asuswrt-merlin:asuswrt-merlin:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:o:asuswrt-merlin:asuswrt-merlin:*:*:*:*:*:*:*:*

part: o version: * update: *

Vendor	Asuswrt Merlin (`54045b8e-7ec1-5b15-9831-9bc67ac6864b`)
Product	Asuswrt Merlin (`81029193-3134-5a06-a37a-b85eae5a8e7d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/rmerl/asuswrt-merlin`	purl2cpe	2026-06-01 10:11:13.475188

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2018-8878`	vulnerable	2026-06-03 14:39:09.515170	Details available Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network devices' hostnames and MAC addresses by reading the custom_id variable on the blocking.asp page. Published: 2020-02-27T21:12:40.000Z Updated: 2024-08-05T07:10:46.214Z Open on db.gcve.eu Reference links https://github.com/outofhere/Research/blob/master/2018/Asus/cve_notes.md	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-8877`	vulnerable	2026-06-03 14:39:09.514767	Details available Information disclosure in Asuswrt-Merlin firmware for ASUS devices older than 384.4 and ASUS firmware before 3.0.0.4.382.50470 for devices allows remote attackers to acquire information on internal network IP address ranges by reading the new_lan_ip variable on the error_page.htm page. Published: 2020-02-27T21:11:29.000Z Updated: 2024-08-05T07:10:47.068Z Open on db.gcve.eu Reference links https://github.com/outofhere/Research/blob/master/2018/Asus/cve_notes.md	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-5721`	vulnerable	2026-06-03 14:38:58.370846	Details available Stack-based buffer overflow in the ej_update_variables function in router/httpd/web.c on ASUS routers (when using software from https://github.com/RMerl/asuswrt-merlin) allows web authenticated attackers to execute code via a request that updates a setting. In ej_update_variables, the length of the variable action_script is not checked, as long as it includes a "_wan_if" substring. Published: 2018-01-17T06:00:00.000Z Updated: 2024-08-05T05:40:51.215Z Open on db.gcve.eu Reference links http://www.w0lfzhang.com/2018/01/17/ASUS-router-stack-overflow-in-http-server/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-12754`	vulnerable	2026-06-03 14:36:37.036119	Details available Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-AC5300 and earlier for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200, RT-AC3100, RT_AC1200GU, RT_AC1200G, RT-AC1200, RT-AC53, RT-N12HP, RT-N12HP_B1, RT-N12D1, RT-N12+, RT_N12+_PRO, RT-N16, and RT-N300 devices allows remote attackers to execute arbitrary code on the router by sending a crafted http GET request packet that includes a long delete_offline_client parameter in the url. Published: 2017-08-09T15:00:00.000Z Updated: 2024-08-05T18:51:06.166Z Open on db.gcve.eu Reference links https://asuswrt.lostrealm.ca/changelog https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/Asus_DeleteOfflineClientOverflow.txt	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.