Description
A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-06
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via local network
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow exists in the fromwebExcptypemanFilter function of the /goform/webExcptypemanFilter endpoint on the Tenda CX12L router. When a manipulated page parameter is supplied locally, the overflow corrupts the stack, permitting an attacker to execute arbitrary code with the privileges of the router’s firmware. This can compromise confidentiality, integrity, and availability of the device and any devices on the local network.

Affected Systems

The vulnerability was identified in the Tenda CX12L router running firmware version 16.03.53.12. No other product versions or vendors were listed as affected.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. While an EPSS score is not available, the flaw has been publicly disclosed and can be exploited by anyone with local network access. The vulnerability is not listed in the CISA KEV catalog, but the requirement for local access limits the attack surface to administrators or compromised devices on the network. The potential impact of arbitrary code execution makes prompt remediation essential.

Generated by OpenCVE AI on April 7, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a release that removes the vulnerability (check the vendor website for a newer version of CX12L firmware).
  • Restrict administrative access to the web interface using network segmentation or firewall rules so only trusted management hosts can reach port 80/443.
  • Disable remote management features if they are not required. If the vendor has not released an update, temporarily block external access to the affected endpoint by configuring access control lists.

Generated by OpenCVE AI on April 7, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda cx12l
Vendors & Products Tenda
Tenda cx12l

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized.
Title Tenda CX12L webExcptypemanFilter fromwebExcptypemanFilter stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 7.7, 'vector': 'AV:A/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Cx12l
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T13:40:48.280Z

Reserved: 2026-04-06T10:14:07.040Z

Link: CVE-2026-5684

cve-icon Vulnrichment

Updated: 2026-04-07T13:40:43.059Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T22:16:24.483

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-5684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:36:58Z

Weaknesses