EUVD-2026-29019
GHSA-49r7-qrrc-gw83
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
OS command injection in Tenda AC6 firmware version 15.03.06.49_multi_TDE01 allows high-privilege remote attackers to execute arbitrary commands via manipulation of mac/ssid parameters in the fromSetWirelessRepeat function exposed through the /goform/WifiExtraSet HTTP endpoint. Public exploit code is available, though the CVSS 2.0 score reflects limited impact scope due to requirement of high-privilege authentication and minimal confidentiality/integrity/availability effects beyond low-severity damage.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today