Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in Tenda 4G06 04.06.01.29. This vulnerability affects the function fromDhcpListClient of the file /goform/DhcpListClient of the component Endpoint. Performing a manipulation of the argument page results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
Stack-based buffer overflow in Tenda 4G06 router firmware version 04.06.01.29 allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromDhcpListClient function accessible via the /goform/DhcpListClient endpoint, triggered by manipulating the 'page' parameter. Publicly available exploit code exists (GitHub PoC published), significantly lowering the barrier to exploitation. CVSS 8.8 (High) reflects network-based attack vector with low complexity, though low-privilege authentication is required. Not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.
Technical ContextAI
This vulnerability affects the web management interface of the Tenda 4G06 wireless router, specifically within the DHCP client list functionality. The fromDhcpListClient function in the /goform/DhcpListClient endpoint fails to properly validate the length of the 'page' parameter before copying it to a fixed-size stack buffer. This is a classic CWE-121 (Stack-based Buffer Overflow) condition where attacker-controlled input exceeds allocated buffer space on the program stack. Embedded router firmware often uses custom web servers with minimal input validation, and stack-based overflows can allow attackers to overwrite return addresses or function pointers to redirect execution flow. The affected product is identified by CPE cpe:2.3:a:tenda:4g06:*:*:*:*:*:*:*:*, with confirmed vulnerable firmware version 04.06.01.29. The /goform/ path pattern is characteristic of Tenda's web interface implementation across multiple router models.
RemediationAI
No vendor-released patch identified at time of analysis despite public disclosure and PoC availability. Organizations should immediately implement the following mitigations: First, verify if devices are running vulnerable firmware version 04.06.01.29 through the web interface or device labels. Disable remote web management access and restrict administrative interface access to trusted internal networks only, blocking WAN-side access at the firewall level. Change all default credentials to strong, unique passwords with minimum 16-character complexity. Monitor Tenda's official support site (https://www.tenda.com.cn/) for firmware updates addressing CVE-2026-5036. As an alternative, consider replacing affected devices with models from vendors demonstrating stronger security update practices if Tenda does not release timely patches. Network segmentation should isolate IoT/router management VLANs from critical systems. The VulDB advisory at https://vuldb.com/vuln/353962 and the researcher's GitHub repository at https://github.com/Kiciot/cve/issues/1 should be monitored for additional technical details or vendor response updates.
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev
Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke
The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication
Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic
In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via
Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via
Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV
Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se
Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate
Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /
In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16981
GHSA-737m-qjmx-7gx3