7
CVEs
0
Critical
2
High
0
KEV
6
PoC
2
Unpatched C/H
0.0%
Patch Rate
1.0%
Avg EPSS
Severity Breakdown
CRITICAL
0
HIGH
2
MEDIUM
0
LOW
5
Monthly CVE Trend
Affected Products (30)
Ac6 Firmware
36
Ac18 Firmware
24
Ac10 Firmware
20
Ac8 Firmware
18
Ax3 Firmware
18
Ac9 Firmware
18
Fh1202 Firmware
17
W18E Firmware
13
G3 Firmware
13
Ac15 Firmware
13
Ch22 Firmware
13
Rx3 Firmware
12
Ax1806 Firmware
11
Ac20 Firmware
11
Ac21 Firmware
11
Rx2 Pro Firmware
11
PHP
11
Ac7 Firmware
11
O3 Firmware
9
Fh1201 Firmware
8
Fax Server
8
Interactive Voice Response
8
Ax1803 Firmware
7
Fh451 Firmware
7
Tx3 Firmware
6
Ac1206 Firmware
6
W12 Firmware
6
I24 Firmware
5
Ac5 Firmware
5
Ac23 Firmware
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-7470 | Stack-based buffer overflow in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01 allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted SafeMacFilter requests. The vulnerability resides in function sub_427C3C at endpoint /goform/SafeMacFilter, where insufficient input validation of the 'page' parameter enables memory corruption. Public exploit code exists on GitHub (Axelioc/CVE), significantly lowering the barrier to exploitation for attackers with valid router credentials. CVSS 7.4 reflects high confidentiality, integrity, and availability impact requiring only low-privilege authentication. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-8138 | Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve full system compromise via the PPTP server configuration interface. The vulnerability resides in the formSetPPTPServer function within /goform/SetPptpServerCfg and is exploitable over the network with low attack complexity. A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier to exploitation, though CISA has not yet added this to the KEV catalog indicating no confirmed widespread active exploitation at this time. | HIGH | 7.4 | 0.0% | 57 |
PoC
No patch
|
| CVE-2026-7469 | Command injection in Tenda 4G300 US version 1.01.42 allows authenticated remote attackers to execute arbitrary system commands via the delflag parameter in the /goform/DelFil endpoint. The vulnerability affects the sub_425A28 function and has publicly available exploit code; CVSS 6.3 reflects authenticated access requirement but moderate impact scope. | LOW | 2.1 | 2.7% | 33 |
PoC
No patch
|
| CVE-2026-8264 | Remote authenticated command injection in Tenda AC6 router firmware version 15.03.06.23 allows authenticated attackers to execute arbitrary OS commands via manipulation of the wl2g.public.country or wl5g.public.country parameters in the /goform/WifiApScan endpoint. The vulnerability affects the httpd component's formWifiApScan function and has publicly available exploit code, presenting moderate risk to affected deployments. | LOW | 2.1 | 2.7% | 33 |
PoC
No patch
|
| CVE-2026-8259 | OS command injection in Tenda AC6 2.0/15.03.06.23 httpd daemon allows authenticated remote attackers to execute arbitrary system commands via the lan.ip parameter in /goform/telnet endpoint. The vulnerability requires high-level administrative privileges and has publicly available exploit code; real-world risk is limited by authentication requirement despite network accessibility and low attack complexity. | LOW | 2.0 | 0.6% | 31 |
PoC
No patch
|
| CVE-2026-8265 | Remote command injection in Tenda AC6 version 15.03.06.23 allows authenticated remote attackers to execute arbitrary OS commands via the wans.flag parameter in the /goform/getLogFile endpoint. The vulnerability has publicly available exploit code and may be actively exploited. Attack complexity is low, requiring only network access and high-level authentication privileges, with potential for confidentiality, integrity, and authenticity impacts. | LOW | 2.0 | 0.6% | 31 |
PoC
No patch
|
| CVE-2026-8263 | OS command injection in Tenda AC6 firmware version 15.03.06.49_multi_TDE01 allows high-privilege remote attackers to execute arbitrary commands via manipulation of mac/ssid parameters in the fromSetWirelessRepeat function exposed through the /goform/WifiExtraSet HTTP endpoint. Public exploit code is available, though the CVSS 2.0 score reflects limited impact scope due to requirement of high-privilege authentication and minimal confidentiality/integrity/availability effects beyond low-severity damage. | LOW | 2.0 | 0.6% | 11 |
No patch
|