CVE-2026-38142

medium

Description

An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.

References

https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf

Details

Source: Mitre, NVD

Published: 2026-07-01

Updated: 2026-07-01

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium