CVE-2026-3974

Name of the Vulnerable Software and Affected Versions Tenda W3 version 1.0.0.3(2204)

Description A flaw exists in the HTTP Handler component of Tenda W3 version 1.0.0.3(2204). Specifically, the formexeCommand function within the /goform/exeCommand file is susceptible to a stack-based buffer overflow. Manipulation of the cmdinput argument can trigger this issue, potentially allowing for remote code execution. The exploit for this issue is publicly available.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the formexeCommand function until a patch is available. Restrict access to the /goform/exeCommand file to minimize the risk of exploitation.