Description
A vulnerability was determined in Tenda i12 1.0.0.11(3862). The impacted element is an unknown function of the component HTTP Handler. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Traversal leading to unauthorized file access
Action: Patch
AI Analysis

Impact

A vulnerability has been identified in Tenda i12 firmware version 1.0.0.11 (build 3862) that allows an attacker to perform a path traversal through the HTTP Handler component. By sending a crafted HTTP request, a remote attacker can instruct the device to read or write files outside the intended directory, potentially exposing sensitive configuration files or enabling the upload of malicious code. This falls under the CWE‑22 weakness category. The impact is the ability for an attacker to read confidential data or execute unauthorized code on the device.

Affected Systems

The affected product is Tenda i12, specifically firmware version 1.0.0.11 (build 3862). Only devices running this exact firmware build are known to be vulnerable; newer firmware releases may have addressed the flaw.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The exploit is accessible over the network and has been publicly disclosed, meaning that a remote adversary can exploit this flaw without needing local access. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the nature of the attack vector and the existence of public proof‑of‑concept code elevate the risk for exposed devices. Organizations should treat the exposure as a potentially serious threat if the target device is reachable from the internet or an untrusted network.

Generated by OpenCVE AI on April 9, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda for the i12 device that addresses the HTTP path traversal flaw.
  • If no update is available, restrict external HTTP access to the device by configuring firewall rules or placing the device behind a VPN so that only trusted networks can reach it.
  • Monitor web server logs for suspicious URI patterns containing ".." or other traversal indicators to detect possible exploitation attempts.

Generated by OpenCVE AI on April 9, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda i12
Vendors & Products Tenda i12

Thu, 09 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Tenda i12 1.0.0.11(3862). The impacted element is an unknown function of the component HTTP Handler. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title Tenda i12 HTTP path traversal
First Time appeared Tenda
Tenda i12 Firmware
Weaknesses CWE-22
CPEs cpe:2.3:o:tenda:i12_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda i12 Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda I12 I12 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T13:18:58.857Z

Reserved: 2026-04-08T19:15:41.294Z

Link: CVE-2026-5849

cve-icon Vulnrichment

Updated: 2026-04-09T13:18:53.443Z

cve-icon NVD

Status : Received

Published: 2026-04-09T06:16:23.393

Modified: 2026-04-09T06:16:23.393

Link: CVE-2026-5849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:54Z

Weaknesses