Skip to main content

Tenda CVE-2026-5989

| EUVDEUVD-2026-21239 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-09 VulDB GHSA-gg8x-v42q-jxpx
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
PoC Detected
Apr 10, 2026 - 00:16 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 23:31 euvd
EUVD-2026-21239
Analysis Generated
Apr 09, 2026 - 23:31 vuln.today
CVE Published
Apr 09, 2026 - 23:15 nvd
HIGH 7.4

DescriptionCVE.org

A flaw has been found in Tenda F451 1.0.0.7. Affected is the function fromRouteStatic of the file /goform/RouteStatic. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.

AnalysisAI

Stack-based buffer overflow in Tenda F451 wireless router firmware 1.0.0.7 allows authenticated remote attackers to execute arbitrary code via crafted page parameter to fromRouteStatic function in /goform/RouteStatic endpoint. Attack requires low-privilege authenticated access to web management interface with no user interaction. Publicly available exploit code exists. Exploitation yields complete compromise of router confidentiality, integrity, and availability.

Technical ContextAI

CWE-121 stack overflow in fromRouteStatic route handling function. Insufficient bounds checking on page argument permits memory corruption beyond stack buffer boundary. CVSS vector PR:L indicates authentication required; network-accessible attack surface through HTTP management interface. Exploit primitive disclosed in public repository.

RemediationAI

No vendor-released patch identified at time of analysis. Tenda has not published security advisories or firmware updates addressing CVE-2026-5989 per available vendor references (https://www.tenda.com.cn/). Immediate mitigations: restrict administrative interface access to trusted networks only via firewall rules; disable remote management if enabled; implement strong authentication credentials; monitor for unauthorized configuration changes. Consider hardware replacement if vendor does not release patched firmware. Consult VulDB tracking page for updates: https://vuldb.com/vuln/356543. Organizations should isolate affected devices from untrusted networks until remediation becomes available.

More in Tenda

View all
CVE-2022-30023 HIGH POC
8.8 Jun 16

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev

CVE-2015-5995 CRITICAL POC
9.8 Dec 31

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke

CVE-2014-5246 CRITICAL POC
10.0 Aug 22

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication

CVE-2025-45042 CRITICAL POC
9.8 May 05

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic

CVE-2025-29384 CRITICAL POC
9.8 Mar 14

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability

CVE-2025-44877 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via

CVE-2025-44872 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via

CVE-2022-32386 CRITICAL POC
9.8 Jul 06

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV

CVE-2025-25632 CRITICAL POC
9.8 Mar 05

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se

CVE-2023-51972 CRITICAL POC
9.8 Jan 10

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate

CVE-2023-51812 CRITICAL POC
9.8 Jan 04

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /

CVE-2025-45429 CRITICAL POC
9.8 Apr 23

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp

Share

CVE-2026-5989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy