CVE-2026-0581

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Tenda AC1206 version 15.03.06.23

Description A remote command injection issue exists in the formBehaviorManager function within the /goform/BehaviorManager file of the httpd component. Manipulation of the modulename/option/data/switch argument can lead to command injection. The attack can be launched remotely, and the exploit has been publicly disclosed.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /goform/BehaviorManager file. Avoid using the modulename, option, data, and switch parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-74

Related Identifiers

BDU:2026-02030

CVE-2026-0581

Affected Products

Tenda Ac1206

CVE-2026-0581

Weakness Enumeration

Related Identifiers

Affected Products

References · 12