Home / Vulnerability Intelligence / CVE-2026-38835

CVE-2026-38835 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 22, 2026

Tenda W30E - Command Injection

Published: April 21, 2026Updated: April 22, 2026Remote Exploitable

Overview

Tenda W30E V2.0 V16.01.0.21 contains a command injection caused by improper sanitization of the usbPartitionName parameter in formSetUSBPartitionUmount function, letting attackers execute arbitrary commands remotely, exploit requires crafted request.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary commands remotely, potentially leading to full system compromise.

Mitigation

Update to the latest available version.

References

https://github.com/jsjbcyber/repo/blob/main/rep_2.md

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-38835
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed

CWE

CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H