CVE-2026-36811 - Vulnerability Details

- Denial of Service via Buffer Overflow in Tenda W15E Router Web Interface

Description

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picName parameter of the formDelwebAuthPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Published: 2026-06-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Shenzhen Tenda Technology’s W15E router firmware version 15.11.0.10 contains a buffer overflow in the picName parameter of the formDelwebAuthPic handler. The overflow occurs when an attacker sends an HTTP request with an unusually large picName value, which causes the router’s web interface to crash and become unavailable. Because the flaw does not enable code execution or privilege escalation, its effect is limited to an availability disruption.

Affected Systems

The affected device is the Tenda W15E router running firmware 15.11.0.10. No other devices or firmware revisions are currently identified as vulnerable in the publicly available information.

Risk and Exploitability

The flaw requires the attacker to access the router’s HTTP interface, so the most plausible attack vector is a remote attacker crafting a malicious request from outside the local network. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation has not been documented yet. Nevertheless, a buffer overflow is a reliable method for causing a service crash, presenting a high‑severity denial of service risk to any owner of the affected device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

W15e

100%

Version	Status	Scheme	Platform
`v15.11.0.10`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest firmware release from Tenda that removes the buffer overflow defect.
If no firmware update is available, deny or limit external access to the router’s HTTP port (port 80 or 443) using firewall rules or the router’s built‑in access‑control settings.
Implement input validation on the router’s web interface to restrict the length of picName parameters and perform bounds checking before copying data into fixed‑size buffers.

Generated by OpenCVE AI on June 10, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00309.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formDelwebAuthPic

History

Thu, 11 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Buffer Overflow in Tenda W15E Router Web Interface

Wed, 10 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title	Buffer Overflow in Tenda W15E formDelwebAuthPic Causing Denial of Service
Weaknesses	CWE-119

Wed, 10 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda Tenda w15e
Vendors & Products		Tenda Tenda w15e

Tue, 09 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in Tenda W15E formDelwebAuthPic Causing Denial of Service
Weaknesses		CWE-119 CWE-120

Tue, 09 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picName parameter of the formDelwebAuthPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
References		https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formDelwebAuthPic

Subscriptions

Tenda W15e

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-09T00:00:00.000Z

Updated: 2026-06-10T19:31:52.587Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36811

Vulnrichment

Updated: 2026-06-10T19:04:26.050Z

NVD

Status : Deferred

Published: 2026-06-09T19:17:46.873

Modified: 2026-06-10T20:17:13.320

Link: CVE-2026-36811

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:45:44Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object