Description
A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow exists in the Tenda F456 router’s web interface function formwebtypelibrary, accessed via the /goform/webtypelibrary endpoint. Manipulating the menufacturer/Go argument triggers the overflow, overwriting stack data and potentially allowing an attacker to execute arbitrary code. The flaw aligns with the CWE-119 and CWE-121 weaknesses.

Affected Systems

The vulnerability is limited to the Tenda F456 router running firmware version 1.0.0.5. No other firmware revisions are listed as affected, and the attack vector is remote through the router’s web management interface.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity flaw with a remote attack vector. While EPSS data is unavailable and the vulnerability is not in the CISA KEV catalog, the available evidence shows the exploit was publicly disclosed and can be initiated remotely. This suggests a realistic risk of compromise if the device is exposed to potential attackers.

Generated by OpenCVE AI on April 13, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware available from Tenda to address the formwebtypelibrary stack overflow.
  • If a firmware update is not yet released, download the newest official firmware from Tenda’s website and install it manually after backing up current settings.
  • Restrict the router’s management interface to trusted internal networks only, or disable external access to the web management ports 80 and 443.
  • Block HTTP/HTTPS traffic directed at the router’s management IP from all external sources using a firewall or network access control.
  • Monitor router logs for repeated access attempts to /goform/webtypelibrary and block suspicious IP addresses with a firewall or intrusion prevention system.

Generated by OpenCVE AI on April 13, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f456
Vendors & Products Tenda
Tenda f456

Tue, 14 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Title Tenda F456 webtypelibrary formwebtypelibrary stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T13:07:41.730Z

Reserved: 2026-04-13T08:48:18.635Z

Link: CVE-2026-6200

cve-icon Vulnrichment

Updated: 2026-04-14T13:07:38.534Z

cve-icon NVD

Status : Received

Published: 2026-04-13T19:16:58.240

Modified: 2026-04-13T19:16:58.240

Link: CVE-2026-6200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:33Z

Weaknesses