CVE-2026-5152

Name of the Vulnerable Software and Affected Versions Tenda CH22 version 1.0.0.1

Description A buffer overflow exists in the formCreateFileName function located in the file /goform/createFileName. Manipulation of the fileNameMit argument can trigger a stack-based buffer overflow, potentially allowing for remote exploitation. The exploit for this issue is publicly available.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /goform/createFileName endpoint to minimize the risk of exploitation. Avoid using the fileNameMit parameter in the affected API endpoint until the issue is resolved.