Home / Vulnerability Intelligence / CVE-2026-8259

CVE-2026-8259 - Vulnerability Analysis

MediumCVSS: 4.7

Last Updated: May 11, 2026

Tenda AC6 - Command Injection

Published: May 11, 2026Updated: May 11, 2026PoC AvailableRemote Exploitable

Overview

Tenda AC6 2.0/15.03.06.23 contains a command injection caused by manipulation of the "lan.ip" argument in /goform/telnet of httpd, letting remote attackers execute arbitrary OS commands, exploit requires no special privileges.

Severity & Score

Severity: Medium

CVSS Score: 4.7

Impact

Remote attackers can execute arbitrary OS commands, potentially taking full control of the device.

Mitigation

Update to the latest version or apply vendor patches addressing this issue.

References

https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20TendaTelnet%20Command%20Injection.md
https://vuldb.com/submit/809877
https://vuldb.com/vuln/362556
https://vuldb.com/vuln/362556/cti
https://www.tenda.com.cn/

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-8259
Severity: Medium
CVSS Score: 4.7
Type: command_injection
Status: confirmed

CWE

CWE-77
CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L