PT-2026-39562 · Tenda · Tenda Ac6

St4R

Published

2026-05-10

Updated

2026-05-12

CVE-2026-8263

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tenda AC6 version 15.03.06.49 multi TDE01

Description A flaw in the httpd component allows remote attackers to perform OS command injection. The issue exists within the fromSetWirelessRepeat() function located in the '/goform/WifiExtraSet' endpoint, where manipulating the mac or ssid arguments enables the execution of arbitrary operating system commands.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the '/goform/WifiExtraSet' endpoint or avoid using the mac and ssid parameters within that endpoint.

Exploit

OS Command Injection

Memory Corruption

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-787CWE-77

Related Identifiers

BDU:2026-06629

CVE-2026-8263

Affected Products

Tenda Ac6

PT-2026-39562 · Tenda · Tenda Ac6

CVE-2026-8263

Weakness Enumeration

Related Identifiers

Affected Products

References · 11