Description
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack-based buffer overflow that can lead to remote code execution
Action: Patch Immediately
AI Analysis

Impact

A stack-based buffer overflow occurs in the formWrlExtraSet function that processes requests to the /goform/WrlExtraSet endpoint on Tenda F451 routers. By manipulating the GO argument, an attacker can overflow a stack buffer, potentially corrupting control data and executing arbitrary code. The weakness is identified as uncontrolled buffer overrun (CWE‑119) and stack-based overflow (CWE‑121).

Affected Systems

The flaw has been identified in Tenda F451 firmware version 1.0.0.7; no other firmware releases are currently reported to contain this issue in the CVE record. Devices running that firmware are affected.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the description states that the attack can be launched remotely with publicly available exploit code. EPSS data is not available, and the vulnerability is not listed in the KEV catalog, but these omissions do not reduce the risk—the vulnerability remains high and likely to be targeted on exposed routers.

Generated by OpenCVE AI on April 10, 2026 at 02:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update available for the Tenda F451 router.
  • If a firmware update is not yet released, restrict external traffic to the /goform/WrlExtraSet interface using firewall rules.
  • Configure the router’s management interface to be accessible only from the internal network, blocking all remote access.
  • Monitor network traffic for attempts to exploit the /goform/WrlExtraSet endpoint and apply any future patches as soon as they are distributed.

Generated by OpenCVE AI on April 10, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f451
Vendors & Products Tenda f451

Fri, 10 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.
Title Tenda F451 WrlExtraSet formWrlExtraSet stack-based overflow
First Time appeared Tenda
Tenda f451 Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:tenda:f451_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f451 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F451 F451 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T23:45:14.599Z

Reserved: 2026-04-09T12:37:10.967Z

Link: CVE-2026-5991

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T00:16:36.557

Modified: 2026-04-10T00:16:36.557

Link: CVE-2026-5991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:23Z

Weaknesses