Description
A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Tenda AC6 firmware 15.03.06.49_multi_TDE01 allows an attacker to manipulate the mac or ssid parameters in the /goform/WifiExtraSet endpoint, resulting in OS command injection. An exploitation of this weakness can execute arbitrary commands on the device, potentially providing full control over the router. The weakness falls under CWE‑77 and CWE‑78, indicating that unsanitized command line arguments are being passed to the operating system.

Affected Systems

The affected product is the Tenda AC6 Wi‑Fi router running firmware version 15.03.06.49_multi_TDE01. No other vendors or products are listed in the CVE data.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as medium severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability is exploitable remotely via the web interface, and an exploit has already been publicly released, increasing the likelihood that resourceful adversaries may target vulnerable devices.

Generated by OpenCVE AI on May 11, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Tenda AC6 firmware from the manufacturer’s website, which includes the patch for the command injection bug.
  • If an update is not possible, block or restrict access to the /goform/WifiExtraSet endpoint through network segmentation or firewall rules so that only trusted internal hosts can reach it.
  • Apply input‑validation and sanitization on the mac and ssid parameters, or re‑configure the device to disable remote management features that expose the vulnerable endpoint.

Generated by OpenCVE AI on May 11, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda ac6
Vendors & Products Tenda ac6

Mon, 11 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Title Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection
First Time appeared Tenda
Tenda ac6 Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:tenda:ac6_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda ac6 Firmware
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda Ac6 Ac6 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T02:00:16.521Z

Reserved: 2026-05-10T15:35:34.814Z

Link: CVE-2026-8263

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T02:16:28.120

Modified: 2026-05-11T15:06:30.020

Link: CVE-2026-8263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T04:00:09Z

Weaknesses