CVE-2026-7160

Name of the Vulnerable Software and Affected Versions Tenda HG3 version 2.0

Description A remote command injection issue exists in the formTracert() function within the '/boaform/formTracert' file. This occurs when the datasize argument is manipulated, allowing an attacker to execute arbitrary commands on the device.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/boaform/formTracert' endpoint to minimize the risk of exploitation.