Description
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.
References (1)
Core 1
Core References
Various Sources third-party-advisory
https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0004
Scores
CVSS v4
8.8
EPSS
0.0002
EPSS Percentile
6.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1004
Status
published
Products (6)
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v3.0 Firmware V12.01.01.41
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v3.0 Firmware V12.01.01.42
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v3.0 Firmware V12.01.01.48
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v3.0 Firmware V12.01.01.52
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v3.0 Firmware V12.01.01.55
Tenda/300Mbps Wireless Router F3 and N300 Easy Setup Router
F3 v4.0 Firmware V03.03.01.40
Published
Jan 09, 2026
Tracked Since
Feb 18, 2026