CVE-2026-4961

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 15.03.05.16

Description A flaw exists in the Tenda AC6 device that allows for a stack-based buffer overflow. This occurs through the manipulation of the PPPOEPassword argument within the formQuickIndex function, located in the file /goform/QuickIndex, via a POST request handler. The issue is remotely exploitable and a public exploit is available.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /goform/QuickIndex file. Avoid using the PPPOEPassword parameter in the affected function until the issue is resolved.