Skip to main content

Tenda AC6 EUVD-2026-29020

| CVE-2026-8264 LOW
OS Command Injection (CWE-78)
2026-05-11 VulDB GHSA-2fpj-h75c-c5vr
Command Injection Tenda
2.1
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 11, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
May 11, 2026 - 04:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
May 11, 2026 - 03:45 vuln.today
CVE Published
May 11, 2026 - 02:15 nvd
MEDIUM 6.3

DescriptionNVD

A weakness has been identified in Tenda AC6 15.03.06.23. Affected by this vulnerability is the function formWifiApScan of the file /goform/WifiApScan of the component httpd. Executing a manipulation of the argument wl2g.public.country/wl5g.public.country can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Remote authenticated command injection in Tenda AC6 router firmware version 15.03.06.23 allows authenticated attackers to execute arbitrary OS commands via manipulation of the wl2g.public.country or wl5g.public.country parameters in the /goform/WifiApScan endpoint. The vulnerability affects the httpd component's formWifiApScan function and has publicly available exploit code, presenting moderate risk to affected deployments.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

EUVD-2026-29020 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy