EIP-2026-101471

PRE-CVE

Tenda HG6 v3.3.0 - Remote Command Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-101471. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an authenticated remote command injection vulnerability in Tenda HG6 v3.3.0. It leverages the 'pingAddr' and 'traceAddr' parameters in multiple HTTP POST endpoints to execute arbitrary shell commands, as shown by the provided payloads and their outputs.

Description

Tenda HG6 v3.3.0 - Remote Command Injection

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textremotehardware

https://www.exploit-db.com/exploits/50916

View Code ZIP pw:eip

This exploit demonstrates an authenticated remote command injection vulnerability in Tenda HG6 v3.3.0. It leverages the 'pingAddr' and 'traceAddr' parameters in multiple HTTP POST endpoints to execute arbitrary shell commands, as shown by the provided payloads and their outputs.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Tenda HG6 v3.3.0 (Firmware version: 3.3.0-210926)

Auth required

Prerequisites: Authenticated access to the Tenda HG6 web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026