Description
A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-01-30
Score: 6.9 Medium
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the Boa Webserver component on the Tenda HG10 router. By crafting a malicious value for the serverString argument in the /boaform/formSamba endpoint, an attacker can execute arbitrary operating‑system commands on the device. This flaw can be triggered remotely. The description does not specify whether authentication is required to access the endpoint, so the need for credentials remains uncertain.

Affected Systems

The affected product is the Tenda HG10 router, specifically the firmware version identified as US_HG7_HG9_HG10re_300001138_en_xpon. No other vendors or product families are listed, and the vulnerability is confined to this specific model.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and an EPSS score of 2% indicates a low probability of exploitation. The vulnerability is publicly available, and there is no listing in the CISA KEV catalog, so it has not yet been confirmed as an active exploited vulnerability. The attack vector is remote, as the command injection can be exercised over the network by sending HTTP requests to the exposed Boa Webserver interface.

Generated by OpenCVE AI on June 18, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda that corrects the serverString input handling bug (addresses CWE-77).
  • Enforce strict input validation and sanitization on the serverString parameter to prevent arbitrary command execution (CWE-77). Implement a whitelist approach or escape mechanism.
  • Restrict access to the Boa Webserver interface by requiring authentication and limiting connections to trusted IP ranges to reduce exposure. Optionally disable the /boaform/formSamba endpoint if your router OS permits.

Generated by OpenCVE AI on June 18, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:tenda:hg10_firmware:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda hg10 Firmware
CPEs cpe:2.3:h:tenda:hg10:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:hg10_firmware:-:*:*:*:*:*:*:*
Vendors & Products Tenda hg10 Firmware

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda hg10
Vendors & Products Tenda
Tenda hg10

Fri, 30 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title Tenda HG10 Boa Webserver formSamba command injection
Weaknesses CWE-74
CWE-77
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Hg10 Hg10 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:09:26.903Z

Reserved: 2026-01-30T07:51:50.019Z

Link: CVE-2026-1687

cve-icon Vulnrichment

Updated: 2026-01-30T16:26:24.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T16:16:12.833

Modified: 2026-06-17T10:16:19.273

Link: CVE-2026-1687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:30:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')