The flaw in the Tenda W30E V2 firmware is that the web management interface fails to set the X-Content-Type-Options: nosniff header. Because browsers perform MIME sniffing when this header is missing, they may interpret crafted responses as executable JavaScript even when the content type is not script. The vulnerability thus allows an attacker who can influence the content served by the router to cause a client’s browser to execute arbitrary script. The impact is limited to the victim who browses the router’s interface, potentially enabling cross‑site scripting or other client‑side code execution.

This issue affects the Shenzhen Tenda W30E V2 router. Firmware versions up to and including V16.01.0.19(5037) are vulnerable. The flaw exists on the web management pages accessible through the device’s IP address from the local network.

The CVSS vector gives a base score of 2.1, indicating low severity. The EPSS score is below 1%, meaning the probability of exploitation is very low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that a user with a standard browser visits the router’s web UI and that the attacker can inject malicious content into the responses. The lack of the nosniff header facilitates client‑side code execution, but the overall risk remains low because of the limited attack surface and the need for user interaction.