CVE-2026-3166 - Vulnerability Details

- Tenda F453 httpd RouteStatic fromRouteStatic buffer overflow

Description

A vulnerability was identified in Tenda F453 1.0.0.3. The affected element is the function fromRouteStatic of the file /goform/RouteStatic of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.

Published: 2026-02-25

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A buffer overflow exists in the fromRouteStatic function of the /goform/RouteStatic HTTP endpoint on the Tenda F453 router. By supplying a specially crafted "page" argument, an attacker can overflow a stack buffer, which may allow arbitrary code execution on the device. The vulnerability is rated CVSS 8.7, indicating a high‑severity flaw. The flaw is based on CWE-119 and CWE-120 weaknesses in the handling of input data.

Affected Systems

The affected system is the Tenda F453 router running firmware version 1.0.0.3. No other products or versions are listed in the CNA data.

Risk and Exploitability

The risk is high because the flaw permits remote code execution, yet the EPSS score is below 1% and the vulnerability is not listed in the KEV catalog. However, the exploit is publicly available, so the threat remains real. An attacker can reach the vulnerable endpoint over the network, sending malicious input without needing any local access. Because the CVSS score is 8.7, the exploitation would grant extensive control over the router, potentially compromising network traffic and connected devices.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

F453

affected

Version	Status	Constraints
`1.0.0.3`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:tenda:f453_firmware:1.0.0.3:*:*:*:*:*:*:*

cpe:2.3:h:tenda:f453:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Tenda

F453

100%

Version	Status	Scheme	Platform
`1.0.0.3`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Tenda F453 firmware to a version that eliminates the buffer overflow bug.
Limit access to the router’s web management interface to the local network or over a secure VPN; block external access on the HTTP port.
Configure a firewall or access list to deny traffic to the /goform/RouteStatic endpoint from untrusted sources and monitor logs for attempts to exploit the endpoint.

Generated by OpenCVE AI on April 17, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00106.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Litengzheng/vul_db/blob/main/F453/vul_65/README.md
https://vuldb.com/?ctiid.347673
https://vuldb.com/?id.347673
https://vuldb.com/?submit.759589
https://www.tenda.com.cn/

History

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda f453 Firmware
CPEs		cpe:2.3:h:tenda:f453:-:::::::* cpe:2.3:o:tenda:f453_firmware:1.0.0.3:::::::*
Vendors & Products		Tenda f453 Firmware

Wed, 25 Feb 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda Tenda f453
Vendors & Products		Tenda Tenda f453

Wed, 25 Feb 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Tenda F453 1.0.0.3. The affected element is the function fromRouteStatic of the file /goform/RouteStatic of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used.
Title		Tenda F453 httpd RouteStatic fromRouteStatic buffer overflow
Weaknesses		CWE-119 CWE-120
References		https://github.com/Litengzheng/vul_db/blob/main/F453/vul_65/README.md https://vuldb.com/?ctiid.347673 https://vuldb.com/?id.347673 https://vuldb.com/?submit.759589 https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tenda F453 F453 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-25T06:32:09.666Z

Updated: 2026-02-25T21:08:45.250Z

Reserved: 2026-02-24T21:58:46.716Z

Link: CVE-2026-3166

Vulnrichment

Updated: 2026-02-25T21:08:26.450Z

NVD

Status : Analyzed

Published: 2026-02-25T07:16:02.420

Modified: 2026-02-25T17:53:07.977

Link: CVE-2026-3166

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object