CVE-2026-0581

Name of the Vulnerable Software and Affected Versions Tenda AC1206 version 15.03.06.23

Description A remote command injection issue exists in the formBehaviorManager function within the /goform/BehaviorManager file of the httpd component. Manipulation of the modulename/option/data/switch argument can lead to command injection. The attack can be launched remotely, and the exploit has been publicly disclosed.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /goform/BehaviorManager file. Avoid using the modulename, option, data, and switch parameters in the affected API endpoint until the issue is resolved.