Description
A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromSafeClientFilter of the file /goform/SafeClientFilter of the component httpd. The manipulation of the argument menufacturer/Go leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Published: 2026-04-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the fromSafeClientFilter function within the httpd component of the Tenda F451 firmware. Providing the string "menufacturer/Go" as an argument to the /goform/SafeClientFilter endpoint a buffer overflow, which can be leveraged by an attacker to execute arbitrary code on the device. The description states that remote exploitation is possible and that a public exploit exists, indicating that an attacker can gain control without local access.

Affected Systems

The only vendor/product explicitly listed in the CNA data is Tenda F451. The affected firmware is identified as 1.0.0.7_cn_svn7958. No additional version ranges are provided, so any device running that exact build or earlier unpatched builds is at risk.

Risk and Exploitability

The CVSS base score of 8.7 categorizes this flaw as a high severity vulnerability. EPSS information is not available, so the current evidence does not quantify exploitation frequency, but the statement that a public exploit is available suggests that the risk of real-world attacks is substantial. Because the flaw allows remote code execution and is publicly documented, a likely attack vector is a network-facing HTTP request to the affected endpoint. The device is not listed in the CISA KEV catalog, which may delay awareness, but the severity and public exploit availability underscore the need for rapid remediation.

Generated by OpenCVE AI on April 20, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for the Tenda F451 that contains the buffer‑overflow fix; this is the preferred and definitive solution.
  • If a firmware upgrade cannot be performed immediately, disable the SafeClientFilter feature through the device's management interface or block external access to the /goform/SafeClientFilter URL using the router’s firewall or access‑control list.
  • Isolate the device on a separate network segment, restrict inbound connections to trusted networks, and monitor for abnormal traffic or exploitation attempts.

Generated by OpenCVE AI on April 20, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f451
Vendors & Products Tenda f451

Mon, 20 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromSafeClientFilter of the file /goform/SafeClientFilter of the component httpd. The manipulation of the argument menufacturer/Go leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title Tenda F451 httpd SafeClientFilter fromSafeClientFilter buffer overflow
First Time appeared Tenda
Tenda f451 Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:tenda:f451_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f451 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F451 F451 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T15:05:42.179Z

Reserved: 2026-04-19T17:05:50.258Z

Link: CVE-2026-6632

cve-icon Vulnrichment

Updated: 2026-04-20T15:05:18.911Z

cve-icon NVD

Status : Received

Published: 2026-04-20T11:16:19.760

Modified: 2026-04-20T11:16:19.760

Link: CVE-2026-6632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T12:30:05Z

Weaknesses