CVE-2026-38142
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Jul 01, 2026
Vendor
unknown
Description
An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.
References
- https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf
- https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf