CVE-2026-24101

Name of the Vulnerable Software and Affected Versions Tenda AC15 versions prior to V15.03.05.18 multi

Description A flaw exists in the goform/formSetIptv function of Tenda AC15 routers due to improper handling of code generation in memory when processing the s1 1 parameter. Exploitation of this issue could allow a remote attacker to execute arbitrary commands. Specifically, the s1 1 parameter is passed into the sub B0488 function and concatenated into the doSystemCmd function without validation, potentially leading to command injection.

Recommendations Update to a version later than V15.03.05.18 multi.