Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function uploadPicture. This vulnerability allows attackers to execute arbitrary commands via the pic_name parameter.
https://github.com/pjqwudi/my_vuln/blob/main/Tenda/vuln_1/1.md