CVE-2026-36808 - Vulnerability Details

- Buffer Overflow in Tenda W15E Web Authentication Endpoint Causing DoS

Description

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Published: 2026-06-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A buffer overflow exists in the webAuthUserInfo parameter of the formAddWebAuthUser function in Shenzhen Tenda Technology Co., Ltd’s Tenda W15E firmware version 15.11.0.10. The overflow is triggered by crafting a specific HTTP request, and an attacker can exploit it to crash the web authentication service, resulting in a denial of service. The vulnerability does not disclose remote code execution or data leakage, but it can cause disruption of network management and access control for affected devices.

Affected Systems

The flaw is present in the Tenda W15E router running firmware version 15.11.0.10. No other vendors or products are implicated by the current advisory. Users who operate this specific firmware revision should be aware of the risk.

Risk and Exploitability

This vulnerability is not listed in the CISA KEV catalog and has an EPSS score of < 1%, indicating limited information on public exploitation. The description states that attackers can trigger the bug by sending a crafted HTTP request to the webAuthUserInfo parameter; the need for authentication is not mentioned, so the likely attack vector is via an unauthenticated external HTTP request, but this is inferred rather than explicitly stated. The lack of remote code execution confines the impact to availability only. The CVSS score of 7.5 indicates a high severity. A successful exploit can crash the web authentication service, disrupting network management and access control for the affected device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

W15e

80%

Version	Status	Scheme	Platform
`[0,15.11.0.10]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router to a newer firmware revision that eliminates the buffer overflow, if one is released by Shenzhen Tenda
Configure the device to disable or restrict access to the formAddWebAuthUser endpoint, such as requiring authentication or limiting the IP ranges that can issue requests
Apply network‑layer filtering or a web‑application firewall rule to block malformed payloads that target the webAuthUserInfo parameter

Generated by OpenCVE AI on June 10, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00309.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formAddWebAuthUser

History

Thu, 11 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in Tenda W15E Web Authentication Endpoint Causing DoS

Wed, 10 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title	Buffer Overflow in Tenda W15E Web Authentication Service Causes Denial of Service
Weaknesses	CWE-119

Wed, 10 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 04:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda Tenda w15e
Vendors & Products		Tenda Tenda w15e

Tue, 09 Jun 2026 23:15:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in Tenda W15E Web Authentication Service Causes Denial of Service
Weaknesses		CWE-119

Tue, 09 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
References		https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formAddWebAuthUser

Subscriptions

Tenda W15e

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-09T00:00:00.000Z

Updated: 2026-06-10T19:32:12.286Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36808

Vulnrichment

Updated: 2026-06-10T19:04:29.247Z

NVD

Status : Deferred

Published: 2026-06-09T19:17:46.520

Modified: 2026-06-10T20:17:05.257

Link: CVE-2026-36808

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T00:00:14Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object