CVE-2026-5339 - Vulnerability Details

Description

A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Published: 2026-04-02

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the action_set_net_settings function of the gpon.lua handler in Tenda G103 firmware allows an attacker to inject arbitrary shell commands. By supplying specially crafted values for parameters such as authLoid, authPassword, and US VLAN identifiers, the device can execute commands supplied by the attacker. This vulnerability enables remote exploitation with potential to compromise confidentiality, integrity, and availability of the device and any network resources to which it connects. The weakness corresponds to CWE-74 (OS Command Injection) and CWE-77 (Command Injection).

Affected Systems

The affected system is the Tenda G103 router, running firmware version 1.0.0.5. No other versions or variants are reported as vulnerable in the provided data.

Risk and Exploitability

The CVSS score for this issue is 5.1, indicating a medium severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The publicly available exploit can be launched remotely by sending crafted HTTP requests to the router, likely over the network interface exposed to the attacker. No authentication requirements are detailed in the description, suggesting the API may be reachable without credentials, but the precise prerequisites are not explicitly stated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

G103

affected

Version	Status	Constraints
`1.0.0.5`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

G103

100%

Version	Status	Scheme	Platform
`1.0.0.5`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s support site for an updated firmware release that addresses this command injection vulnerability and apply the patch immediately.
If no patch is available, block external access to the device’s management interface or remove the management API from the exposed network profile.
Monitor network traffic and device logs for abnormal command execution indicators, and reset any compromised credentials.
Consider isolating the router from critical network segments until a fix is deployed.

Generated by OpenCVE AI on April 2, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00467.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ZZ2266/.github.io/tree/main/Tenda%20G103/authLoid
https://vuldb.com/submit/781132
https://vuldb.com/submit/781133
https://vuldb.com/submit/781134
https://vuldb.com/submit/781135
https://vuldb.com/submit/781142
https://vuldb.com/submit/781143
https://vuldb.com/submit/781144
https://vuldb.com/submit/781145
https://vuldb.com/vuln/354670
https://vuldb.com/vuln/354670/cti
https://www.tenda.com.cn/

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda g103
Vendors & Products		Tenda g103
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 02 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title		Tenda G103 Setting gpon.lua action_set_net_settings command injection
First Time appeared		Tenda Tenda g103 Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:tenda:g103_firmware::::::::
Vendors & Products		Tenda Tenda g103 Firmware
References		https://github.com/ZZ2266/.github.io/tree/main/Tenda%20G103/authLoid https://vuldb.com/submit/781132 https://vuldb.com/submit/781133 https://vuldb.com/submit/781134 https://vuldb.com/submit/781135 https://vuldb.com/submit/781142 https://vuldb.com/submit/781143 https://vuldb.com/submit/781144 https://vuldb.com/submit/781145 https://vuldb.com/vuln/354670 https://vuldb.com/vuln/354670/cti https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tenda G103 G103 Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-02T14:15:12.509Z

Updated: 2026-04-02T15:55:52.097Z

Reserved: 2026-04-01T14:09:12.110Z

Link: CVE-2026-5339

Vulnrichment

Updated: 2026-04-02T15:55:45.695Z

NVD

Status : Awaiting Analysis

Published: 2026-04-02T15:16:53.080

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5339

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:21:01Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object