This vulnerability is an improper output encoding flaw in Shenzhen Tenda AC7's web management interface. Inputs supplied by users are reflected in HTTP responses without proper escaping, enabling attackers to inject arbitrary HTML or JavaScript. The flaw can be exploited to execute malicious scripts in the victim's browser session, potentially leading to session hijacking, defacement, or data theft. The weakness is classified as CWE‑79.

The affected hardware is the Shenzhen Tenda AC7 router, specifically firmware versions V03.03.03.01_cn and all earlier releases. Users of these firmware builds who can access the device's web interface are vulnerable, and the issue persists across all models that ship with the same embedded web server code.

The CVSS score of 5.1 indicates a moderate severity, but the EPSS score of less than 1% and absence from CISA's KEV list suggest that exploitation is unlikely at present. Attackers would likely craft a malicious URL or form that includes the unsanitized user input and lure a legitimate user to visit that link while connected to the local network. In environments where the web interface is exposed to external networks or used by multiple users, the risk of successful exploitation rises. Mitigation requires firmware updates that address improper output encoding, along with network segmentation or access control to limit who can reach the interface.