Description
A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.
Published: 2026-03-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote stack‑based buffer overflow
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by a stack‐based buffer overflow in the Tenda AC5 firmware 15.03.06.47, triggered by manipulating the PPPOEPassword argument of the formQuickIndex function that handles POST requests. The overflow can corrupt the stack, potentially allowing an attacker to execute arbitrary code or otherwise compromise the device. The weakness maps to CWE-119 (improper restriction of operations within bounds) and CWE-121 (stack-based buffer overflow).

Affected Systems

The affected product is the Tenda AC5 router running firmware version 15.03.06.47. No other versions are listed in the CNA data, so the risk is confined to this specific build.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV catalog, so exact exploitation likelihood is unknown. The description states the attack may be initiated remotely via a crafted POST request, and that an exploit has already been published. Given the high impact and potential remote initiation, the overall risk remains high.

Generated by OpenCVE AI on March 27, 2026 at 06:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to the latest version available from the official Tenda website.
  • If an update is not yet available, temporarily disable external access to the /goform/QuickIndex endpoint via firewall or router ACLs.
  • Monitor router logs for suspicious POST requests or abnormal activity.

Generated by OpenCVE AI on March 27, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac5
Vendors & Products Tenda ac5

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.
Title Tenda AC5 POST Request QuickIndex formQuickIndex memory corruption
First Time appeared Tenda
Tenda ac5 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:ac5_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac5 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Ac5 Ac5 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-26T22:30:18.420Z

Reserved: 2026-03-26T15:57:53.324Z

Link: CVE-2026-4903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T23:16:21.307

Modified: 2026-03-26T23:16:21.307

Link: CVE-2026-4903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:57Z

Weaknesses