26
CVEs
4
Critical
19
High
0
KEV
10
PoC
23
Unpatched C/H
0.0%
Patch Rate
0.5%
Avg EPSS
Severity Breakdown
CRITICAL
4
HIGH
19
MEDIUM
2
LOW
0
Monthly CVE Trend
Affected Products (30)
Ac6 Firmware
115
Ac18 Firmware
112
Ac9 Firmware
94
Ac15 Firmware
93
Ac10 Firmware
87
Ax1806 Firmware
61
Ac7 Firmware
60
Fh1202 Firmware
58
Ac8 Firmware
56
Ax1803 Firmware
56
N A
51
W30e Firmware
50
Ac1206 Firmware
43
Fh1206 Firmware
38
M3 Firmware
37
Ac10U Firmware
37
Fh1201 Firmware
36
Ac5 Firmware
35
Fh1203 Firmware
35
F1203 Firmware
34
G3 Firmware
31
W15e Firmware
30
Fh1205 Firmware
29
Ax3 Firmware
27
F1202 Firmware
25
Ax12 Firmware
24
Ac21 Firmware
23
A15 Firmware
21
Ac23 Firmware
20
W9 Firmware
19
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-15695 | Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets an attacker corrupt the stack by supplying an oversized 'page' argument to the /goform/DhcpListClient web endpoint handled by the fromDhcpListClient function. The flaw is reachable over the network and publicly available exploit code exists (disclosed via VulDB), though it is not listed in CISA KEV and no EPSS score was provided. Per the supplied CVSS 4.0 vector (PR:L) the attack requires low-level authentication to the device, and successful exploitation can crash the router or potentially achieve arbitrary code execution. | HIGH | 7.4 | 0.8% | 58 |
PoC
No patch
|
| CVE-2026-13518 | Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets a remote attacker corrupt memory by manipulating the 'page' parameter handled by the fromAddressNat function at the /goform/addressNat endpoint, potentially achieving code execution or device crash. Publicly available exploit code exists and the issue was disclosed by VulDB, though there is no public exploit identified as actively exploited in the wild. With a CVSS 4.0 base score of 7.4 and PR:L, exploitation requires some level of authenticated access to the web management interface. | HIGH | 7.4 | 0.5% | 57 |
PoC
No patch
|
| CVE-2026-13517 | Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) allows remote attackers to corrupt memory by manipulating the security_5g argument sent to the formWifiBasicSet handler at /goform/WifiBasicSet, potentially achieving denial of service or arbitrary code execution on the device. The flaw is network-reachable but, per the CVSS 4.0 vector, requires low-level authentication (PR:L), and publicly available exploit code exists. There is no public exploit identified as actively exploited in CISA KEV, and the EPSS score was not provided. | HIGH | 7.4 | 0.5% | 57 |
PoC
No patch
|
| CVE-2026-13519 | Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory via the 'page' parameter handled by the fromNatStaticSetting function at the /goform/NatStaticSetting endpoint. Publicly available exploit code exists, and the CVSS 4.0 vector (PR:L) indicates an authenticated user on the device's web interface can trigger high confidentiality, integrity and availability impact. There is no public exploit identified as actively used in the wild - exploitation is proof-of-concept only at this time. | HIGH | 7.4 | 0.5% | 57 |
PoC
No patch
|
| CVE-2026-15543 | Buffer overflow in the Tenda CH22 router (firmware 1.0.0.1) allows a remote, authenticated attacker to corrupt memory by supplying an overlong 'Name' argument to the formCertListInfo function in the /goform/CertListInfo endpoint. The flaw was disclosed by VulDB with publicly available exploit code, and the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV, so this is a proof-of-concept-stage issue rather than confirmed in-the-wild abuse. | HIGH | 7.4 | 0.5% | 57 |
PoC
No patch
|
| CVE-2026-15691 | Stack-based buffer overflow in the Tenda BE12 Pro (firmware 16.03.66.23) web management interface lets an attacker corrupt memory by supplying an oversized 'page' argument to the fromSafeClientFilter handler at /goform/SafeClientFilter, potentially crashing the device or executing arbitrary code with router privileges. Per the CVSS 4.0 vector the flaw is network-reachable but requires low-level privileges (PR:L). Publicly available exploit code exists (disclosed via VulDB), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV. | HIGH | 7.4 | 0.8% | 57 |
PoC
No patch
|
| CVE-2026-15692 | Stack-based buffer overflow in the Tenda BE12 Pro router firmware 16.03.66.23 lets an authenticated remote attacker corrupt memory via the fromSafeUrlFilter handler at /goform/SafeUrlFilter by supplying an oversized 'page' parameter. Publicly available exploit code exists (published via VulDB), though the flaw is not listed in CISA KEV and no active exploitation has been confirmed. The CVSS 4.0 vector (7.4, PR:L) indicates network reachability with low-privilege authentication and high impact to confidentiality, integrity, and availability of the device. | HIGH | 7.4 | 0.8% | 57 |
PoC
No patch
|
| CVE-2026-15693 | Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets remote attackers corrupt memory by manipulating the 'page' argument of the fromSafeMacFilter handler at /goform/SafeMacFilter. Publicly available exploit code exists, though there is no public exploit identified as being used in active campaigns and it is not listed in CISA KEV. Successful exploitation can crash the device or potentially achieve code execution on the router's embedded OS. EPSS data was not provided. | HIGH | 7.4 | 0.5% | 57 |
PoC
No patch
|
| CVE-2026-15694 | Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) lets attackers corrupt memory by manipulating the 'page' argument passed to the fromSetIpBind function of the /goform/SetIpBind endpoint. The flaw is remotely reachable over the network and, per the CVSS 4.0 vector, requires low-level privileges (PR:L) while yielding high confidentiality, integrity, and availability impact - typically resulting in device crash or arbitrary code execution on the router. Publicly available exploit code exists (E:P), disclosed via VulDB, though it is not listed in CISA KEV. | HIGH | 7.4 | 0.8% | 57 |
PoC
No patch
|
| CVE-2026-15696 | Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) allows remote attackers to corrupt memory via the fromVirtualSer handler for the /goform/VirtualSer endpoint by supplying an oversized 'page' argument. The flaw carries CVSS 4.0 7.4 and, per its vector, requires low-level privileges (PR:L); publicly available exploit code exists, though there is no public exploit identified as actively used in the wild (not in CISA KEV). Successful exploitation can crash the device or potentially lead to arbitrary code execution on the embedded MIPS/ARM firmware. | HIGH | 7.4 | 0.8% | 57 |
PoC
No patch
|
| CVE-2026-51846 | Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV. | CRITICAL | 9.8 | 0.6% | 50 |
No patch
|
| CVE-2026-51843 | Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|
| CVE-2026-51844 | Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|
| CVE-2026-51845 | Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|
| CVE-2026-51603 | Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis. | HIGH | 7.5 | 0.4% | 38 |
No patch
|