CVE-2026-8263

MEDIUM

Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection

Title source: cna

Description

A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01. Affected is the function fromSetWirelessRepeat of the file /goform/WifiExtraSet of the component httpd. Performing a manipulation of the argument mac/ssid results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-362560 | Tenda AC6 httpd WifiExtraSet fromSetWirelessRepeat os command injection

https://vuldb.com/vuln/362560

Signature, Permissions Required signature permissions-required

VDB-362560 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/362560/cti

Third Party Advisory third-party-advisory

Submit #810074 | Tenda AC6 V2.0 (AC1206) Firmware V15.03.06.23 Command Injection via mac/ssid

https://vuldb.com/submit/810074

Exploit exploit

https://github.com/yaoyue123/iot/blob/main/Tenda/AC10U/fromSetWirelessRepeat.md

View Exploit ZIP pw:eip

Product product

https://www.tenda.com.cn/

Scores

CVSS v3 4.7

EPSS 0.0035

EPSS Percentile 57.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-77 CWE-78 CWE-787

Status published

Products (2)

tenda/ac10u_firmware 15.03.06.49_multi_tde01

Tenda/AC6 15.03.06.49_multi_TDE01

Published May 11, 2026

Tracked Since May 11, 2026