Description
A flaw has been found in Tenda F451 1.0.0.7. Affected is the function fromRouteStatic of the file /goform/RouteStatic. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow exists in the fromRouteStatic function of the /goform/RouteStatic interface in Tenda F451 firmware 1.0.0.7. By manipulating the ‘page’ argument sent to this endpoint, a remote attacker can trigger the overflow, potentially causing arbitrary code execution, system crash, or denial of service. The vulnerability is rooted in classic stack overflow weaknesses catalogued as CWE-119 and CWE-121.

Affected Systems

The only affected system identified is the Tenda F451 router running firmware version 1.0.0.7. No other device models or firmware versions are noted in the current data.

Risk and Exploitability

With a CVSS score of 8.7, this issue is classified as High severity. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog, but an exploit has been published and is demonstrably usable. The attack vector is remote, requiring only network access to the router’s management interface, making it easily exploitable by external adversaries.

Generated by OpenCVE AI on April 10, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda that addresses the buffer overflow, preferably firmware 1.0.0.8 or newer.
  • If an update is unavailable, disable external access to the router’s web management interface or block the /goform/RouteStatic endpoint with firewall rules.
  • Keep the device behind NAT and restrict inbound traffic to the local LAN only.

Generated by OpenCVE AI on April 10, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f451
Vendors & Products Tenda f451

Thu, 09 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda F451 1.0.0.7. Affected is the function fromRouteStatic of the file /goform/RouteStatic. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.
Title Tenda F451 RouteStatic fromRouteStatic stack-based overflow
First Time appeared Tenda
Tenda f451 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:f451_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f451 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F451 F451 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T17:07:39.974Z

Reserved: 2026-04-09T12:36:50.179Z

Link: CVE-2026-5989

cve-icon Vulnrichment

Updated: 2026-04-10T17:07:34.814Z

cve-icon NVD

Status : Received

Published: 2026-04-10T00:16:36.170

Modified: 2026-04-10T00:16:36.170

Link: CVE-2026-5989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:27Z

Weaknesses