Description
A vulnerability was determined in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter of the component httpd. Executing a manipulation of the argument page can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the fromwebExcptypemanFilter function of the Tenda F451 httpd component. A malformed page argument triggers a buffer overflow, which may enable an attacker to execute arbitrary code on the device with privileges of the httpd process, compromising confidentiality, integrity, and availability of traffic handled by the device.

Affected Systems

Tenda F451 model with firmware version 1.0.0.7_cn_svn7958. The affected component is the httpd service accessed via /goform/webExcptypemanFilter.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely by sending a crafted request to the web form endpoint, as the exploit has been publicly disclosed. Given the lack of mitigation on typical consumer routers, the risk to exposed devices is significant.

Generated by OpenCVE AI on April 20, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that addresses the fromwebExcptypemanFilter buffer overflow, as released by the vendor.
  • Restrict access to the Tenda F451 web interface by limiting management traffic to a trusted IP range or by placing the device behind a firewall.
  • If an immediate firmware update is not possible, block or filter requests to /goform/webExcptypemanFilter using a local firewall or configuration setting to prevent the exploitation vector.

Generated by OpenCVE AI on April 20, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f451
Vendors & Products Tenda f451

Mon, 20 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter of the component httpd. Executing a manipulation of the argument page can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title Tenda F451 httpd webExcptypemanFilter fromwebExcptypemanFilter buffer overflow
First Time appeared Tenda
Tenda f451 Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:tenda:f451_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f451 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F451 F451 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T15:07:58.242Z

Reserved: 2026-04-19T17:05:44.163Z

Link: CVE-2026-6631

cve-icon Vulnrichment

Updated: 2026-04-20T15:07:45.838Z

cve-icon NVD

Status : Received

Published: 2026-04-20T11:16:19.583

Modified: 2026-04-20T11:16:19.583

Link: CVE-2026-6631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T12:30:05Z

Weaknesses