Detections
Analytics

CVE-2026-4253

medium

Description

A security flaw has been discovered in Tenda AC8 16.03.50.11. This affects the function route_set_user_policy_rule of the file /cgi-bin/UploadCfg of the component Web Interface. The manipulation of the argument wans.policy.list1 results in os command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

References

https://www.tenda.com.cn/

https://vuldb.com/?submit.771771

https://vuldb.com/?id.351211

https://vuldb.com/?ctiid.351211

https://github.com/digitalandrew/tenda_ac8_v5/blob/main/poc_cmdi_config_upload.py

Details

Source: Mitre, NVD

Published: 2026-03-16

Updated: 2026-03-17

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 4.7

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Severity: Medium

CVSS v4

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00561