70
CVEs
1
Critical
55
High
0
KEV
54
PoC
55
Unpatched C/H
1.4%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
55
MEDIUM
14
LOW
0
Monthly CVE Trend
Affected Products (30)
Stack Overflow
131
Ac6 Firmware
36
Command Injection
34
Memory Corruption
31
Ac18 Firmware
24
Ac9 Firmware
22
Ac10 Firmware
21
Ax3 Firmware
18
Ac8 Firmware
18
Fh1202 Firmware
17
PHP
15
Ac15 Firmware
14
Ac20 Firmware
13
G3 Firmware
13
W18E Firmware
13
Rx3 Firmware
12
O3 Firmware
11
Rx2 Pro Firmware
11
Ch22 Firmware
11
Ax1806 Firmware
11
Ac21 Firmware
11
Ac7 Firmware
10
Fax Server
8
Interactive Voice Response
8
Fh1201 Firmware
8
Ax1803 Firmware
7
Fh451 Firmware
7
W12 Firmware
6
Ac1206 Firmware
6
Tx3 Firmware
6
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-4252 | A critical authentication bypass vulnerability exists in Tenda AC8 router firmware version 16.03.50.11 where the IPv6 handler function check_is_ipv6 relies on IP address for authentication, allowing remote attackers to gain unauthorized access. The vulnerability has a publicly available proof-of-concept exploit on GitHub and scores 9.8 CVSS, enabling complete compromise of the affected device with no authentication required. While not currently listed in CISA KEV, the combination of public exploit availability and ease of exploitation makes this a high-priority vulnerability for organizations using affected Tenda routers. | HIGH | 8.9 | 0.1% | 65 |
PoC
No patch
|
| CVE-2026-4567 | Stack-based buffer overflow in Tenda A15 router firmware version 15.13.07.13 allows unauthenticated remote attackers to achieve complete system compromise through a malicious file upload to the UploadCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with trivial complexity. | HIGH | 8.9 | 0.1% | 65 |
PoC
No patch
|
| CVE-2026-4489 | Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows authenticated remote attackers to achieve complete system compromise through the /goform/fast_setting_wifi_set endpoint. Public exploit code is available and actively being weaponized against this unpatched vulnerability. Attackers with network access and valid credentials can execute arbitrary code with full system privileges. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-4490 | Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 enables authenticated remote attackers to achieve code execution with high privileges through the setSchedWifi function. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected devices exposed to active exploitation. An attacker with network access and valid credentials can trigger the overflow to compromise system integrity and confidentiality. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-4491 | Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows remote attackers with low privileges to achieve complete system compromise through manipulation of the SetIpMacBind function arguments. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker can execute arbitrary code remotely without user interaction, affecting confidentiality, integrity, and availability of affected devices. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-4492 | Remote code execution in Tenda A18 Pro firmware 02.03.02.28 allows authenticated attackers to achieve full system compromise through stack-based buffer overflow in the QoS configuration function. Public exploit code exists for this vulnerability and no patch is currently available, leaving deployed devices at immediate risk. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-4493 | Stack-based buffer overflow in Tenda A18 Pro MAC filtering configuration allows remote authenticated attackers to achieve full system compromise through manipulation of the deviceList parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw impacts the /goform/setMacFilterCfg endpoint with a CVSS score of 8.8. | HIGH | 8.8 | 0.0% | 64 |
PoC
No patch
|
| CVE-2026-5684 | Stack-based buffer overflow in Tenda CX12L router firmware version 16.03.53.12 enables adjacent network attackers with low-level credentials to execute arbitrary code or crash the device. The vulnerability resides in the webExcptypemanFilter function's handling of the 'page' parameter. Publicly available exploit code exists (GitHub POC published), elevating immediate risk for exposed devices. CVSS 8.6 reflects high impact across confidentiality, integrity, and availability within the adjacent network attack surface. | HIGH | 8.6 | 0.0% | 63 |
PoC
No patch
|
| CVE-2026-4565 | Buffer overflow in Tenda AC21 firmware version 16.03.08.16 allows authenticated remote attackers to achieve complete system compromise through crafted QoS configuration requests to the SetNetControlList endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can execute arbitrary code with full system privileges (confidentiality, integrity, and availability impact). | HIGH | 7.4 | 0.1% | 57 |
PoC
|
| CVE-2026-6123 | Stack-based buffer overflow in Tenda F451 router firmware 1.0.0.7 enables authenticated remote attackers to execute arbitrary code with high privileges via crafted 'entrys' parameter to the /goform/addressNat endpoint. The vulnerability resides in the fromAddressNat function of the httpd component. Public exploit code is available (GitHub), with EPSS indicating moderate exploitation probability. Requires low-privilege authentication (PR:L) but has low attack complexity (AC:L), making it accessible to attackers with basic router credentials. | HIGH | 7.4 | 0.1% | 57 |
PoC
No patch
|
| CVE-2026-4534 | Stack overflow in Tenda FH451 firmware version 1.0.0.9 allows authenticated remote attackers to execute arbitrary code through improper input validation in the WrlExtraSet function. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw requires network access and valid credentials but can completely compromise the affected device's confidentiality, integrity, and availability. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-4535 | Stack-based buffer overflow in Tenda FH451 1.0.0.9 allows authenticated remote attackers to achieve complete system compromise through crafted input to the WrlclientSet endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw enables attackers with valid credentials to execute arbitrary code with full system privileges. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-4551 | Tenda F453 version 1.0.0.3 contains a stack-based buffer overflow in the SafeClientFilter parameter handler that allows authenticated remote attackers to execute arbitrary code by manipulating the manufacturer/Go argument. Public exploit code exists for this vulnerability and no patch is currently available, creating significant risk for affected deployments. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-4552 | Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows remote attackers to achieve complete system compromise through manipulation of the page parameter in the VirtualSer handler. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access can execute arbitrary code with high impact on confidentiality, integrity, and availability. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-4902 | Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|