CVE-2026-34473

Name of the Vulnerable Software and Affected Versions ZTE H8102E (affected versions not specified) ZTE H168N (affected versions not specified) ZTE H167A (affected versions not specified) ZTE H199A (affected versions not specified) ZTE H288A (affected versions not specified) ZTE H198A (affected versions not specified) ZTE H267A (affected versions not specified) ZTE H267N (affected versions not specified) ZTE H268A (affected versions not specified) ZTE H388X (affected versions not specified) ZTE H196A (affected versions not specified) ZTE H369A (affected versions not specified) ZTE H268N (affected versions not specified) ZTE H208N (affected versions not specified) ZTE H367N (affected versions not specified) ZTE H181A (affected versions not specified) ZTE H196Q (affected versions not specified)

Description An unauthenticated denial-of-service condition exists in the web interface of several router models. The issue occurs because the CGILua parser (a component that processes Common Gateway Interface requests using the Lua programming language) eagerly reads and processes request bodies before authentication. An attacker can trigger this by sending an oversized application/x-www-form-urlencoded POST body, which may cause the management interface to become unresponsive until the device is rebooted.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.