Skip to main content

W30e Firmware CVE-2026-24439

MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-01-26 disclosure@vulncheck.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:00 vuln.today
CVE Published
Jan 26, 2026 - 18:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script.

AnalysisAI

Tenda W30E firmware versions through V16.01.0.19(5037) omit the X-Content-Type-Options: nosniff header from web management interfaces, enabling MIME type confusion attacks. An unauthenticated remote attacker can exploit this to inject malicious scripts that browsers may execute as legitimate content, potentially compromising the integrity and confidentiality of management traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment CVSS 6.5 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-57086 HIGH POC
7.5 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the String parameter in the formDeleteMeshNo

CVE-2026-24429 CRITICAL
9.8 Jan 26

Default credentials in Tenda W30E V2 router firmware through V16.01.0.19. Known default password enables full administra

CVE-2026-24436 CRITICAL
9.8 Jan 26

Missing rate limiting and account lockout on Tenda W30E V2 authentication endpoints. Brute-force attacks are unrestricte

CVE-2026-24440 HIGH
8.8 Jan 26

Unauthenticated password modification in Tenda W30E V2 firmware through the maintenance interface allows authenticated u

CVE-2026-24428 HIGH
8.8 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) allows authenticated users with low privileges to escalate to ad

CVE-2026-24430 HIGH
7.5 Jan 26

Shenzhen Tenda W30E V2 firmware through V16.01.0.19(5037) transmits administrative credentials in plaintext over unencry

CVE-2026-24435 MEDIUM
6.5 Jan 26

Tenda W30E firmware through V16.01.0.19(5037) is vulnerable to CORS misconfiguration that permits authenticated administ

CVE-2026-24431 MEDIUM
6.5 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) exposes stored administrative passwords in plaintext on the management

CVE-2026-24437 MEDIUM
5.5 Jan 26

Tenda W30E V2 firmware through version 16.01.0.19(5037) fails to implement proper cache-control headers on sensitive adm

CVE-2026-24433 MEDIUM
5.4 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) fails to properly sanitize user input during account creation, allowing

CVE-2026-24432 MEDIUM
4.3 Jan 26

Tenda W30E V2 firmware through V16.01.0.19(5037) lacks CSRF protections on administrative functions, enabling attackers

CVE-2025-57085 CRITICAL POC
9.8 Sep 09

Tenda W30E V16.01.0.19 (5037) was discovered to contain a stack overflow in the v17 parameter in the UploadCfg function.

Share

CVE-2026-24439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy