Which versions of Tenda are affected by CVE-2026-6199?

CVE-2026-6199 is a stack buffer overflow in Tenda F456 router firmware (version 1.0.0.5) that allows authenticated attackers to completely compromise affected devices through the QoS configuration…

Is there a public PoC exploit available for CVE-2026-6199?

Yes, a public proof-of-concept exploit is available for CVE-2026-6199. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-6199?

Within 24 hours: Identify all Tenda F456 routers running firmware 1.0.0.5 in your environment and document locations. Verify if vendor has released a patched firmware version beyond 1.0.0.5 (check Tenda support portal). Within 7 days: Restrict administrative access to the router web interface to a small set of authorized personnel; implement network segmentation to limit device access. Within 30 days: Deploy a firmware update if available from Tenda; if unavailable, evaluate replacement with a supported device or implement compensating controls (reverse proxy with authentication hardening, IP whitelisting for management access).

Tenda CVE-2026-6199

Q: What is the CVSS score of CVE-2026-6199?

CVE-2026-6199 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-22063 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-04-13 VulDB

GHSA-8977-93px-wpcg

Buffer Overflow Stack Overflow Tenda

7.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 20:37 vuln.today

cvss_changed

PoC Detected

Apr 22, 2026 - 20:23 vuln.today

Public exploit code

Analysis Generated

Apr 15, 2026 - 12:33 vuln.today

CVSS changed

Apr 13, 2026 - 19:37 NVD

8.8 (HIGH) 7.4 (HIGH)

EUVD ID Assigned

Apr 13, 2026 - 18:56 euvd

EUVD-2026-22063

Analysis Generated

Apr 13, 2026 - 18:56 vuln.today

CVE Published

Apr 13, 2026 - 18:30 nvd

HIGH 7.4

DescriptionNVD

A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used.

AnalysisAI

Stack-based buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve complete device compromise via crafted input to the 'page' parameter in the fromqossetting QoS configuration handler. Publicly available exploit code exists (GitHub POC), CVSS 7.4 (High), EPSS 0.05% (low exploitation probability). …

RemediationAI

Within 24 hours: Identify all Tenda F456 routers running firmware 1.0.0.5 in your environment and document locations. Verify if vendor has released a patched firmware version beyond 1.0.0.5 (check Tenda support portal). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6199 vulnerability details – vuln.today

Back

Tenda CVE-2026-6199

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Tenda CVE-2026-6199

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code