An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.
https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf
Source: Mitre, NVD
Published: 2026-07-01
Updated: 2026-07-01
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
Severity: Medium
Base Score: 6.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N