CVE-2026-3974
HIGHCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Tags
Description
A vulnerability was identified in Tenda W3 1.0.0.3(2204). This vulnerability affects the function formexeCommand of the file /goform/exeCommand of the component HTTP Handler. Such manipulation of the argument cmdinput leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used.
Analysis
Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) HTTP handler allows authenticated remote attackers to execute arbitrary code by sending a crafted request to the /goform/exeCommand endpoint with an oversized cmdinput parameter. Public exploit code exists for this vulnerability, and no patch is currently available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Tenda W3 1.0.0.3(2204) devices in your environment using network scanning tools; isolate critical instances from trusted networks if feasible. Within 7 days: Contact Tenda for patch status and availability; implement network segmentation to restrict access to affected devices; monitor for exploitation attempts in logs. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today