Skip to main content

Tenda CVE-2025-49597

| EUVD-2025-18300 LOW
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2025-06-13 security-advisories@github.com GHSA-x3c7-22c8-prg7
Deserialization RCE Tenda
3.9
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.9 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:34 euvd
EUVD-2025-18300
Analysis Generated
Mar 14, 2026 - 21:34 vuln.today
CVE Published
Jun 13, 2025 - 20:15 nvd
LOW 3.9

DescriptionGitHub Advisory

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.

Analysis

handcraftedinthealps goodby-csv is a highly memory efficient, flexible and extendable open-source CSV import/export library. Prior to 1.4.3, goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an application. This so-called "gadget chain" presents no direct threat but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability. The problem is patched with Version 1.4.3.

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915).

RemediationAI

Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

More from same product – last 7 days

CVE-2026-51843 CRITICAL
9.8 Jun 19

Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wa
CVE-2026-51844 CRITICAL
9.8 Jun 19

Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversiz
CVE-2026-51845 CRITICAL
9.8 Jun 19

Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memor
CVE-2026-51846 CRITICAL
9.8 Jun 19

Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpe

Share

CVE-2025-49597 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy