The vulnerability is a content-type confusion flaw in the administrative interface of Shenzhen Tenda F3 routers. Responses omit the X-Content-Type-Options: nosniff header and contain attacker-controlled content that is reflected into the response body. When a browser performs MIME sniffing, the response can be rendered as active HTML, allowing injected scripts to run within the context of the router’s administrative UI. This grants an attacker the ability to execute arbitrary JavaScript with the authority of the admin session, potentially leading to privilege escalation, data exfiltration, or further compromise of the device. The weakness aligns with CWE‑79 (Cross‑Site Scripting) and CWE‑116 (Wrong Type Functionality).

Shenzhen Tenda Technology Co., Ltd. Tenda F3 wireless routers, specifically firmware version V12.01.01.55_multi. No other affected product versions are listed.

The CVSS score is 5.1, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not present in the CISA KEV catalog. The likely attack vector is via the web-based admin interface accessed from a browser; an attacker must deliver a crafted request or entice an administrator to visit a malicious URL that triggers the reflected content. Because the flaw hinges on browser MIME sniffing behavior, its exploitation would be most effective against browsers that do not enforce nosniff defaults.