Home / Vulnerability Intelligence / CVE-2026-8264

CVE-2026-8264 - Vulnerability Analysis

MediumCVSS: 6.3

Last Updated: May 11, 2026

Tenda AC6 - Command Injection

Published: May 11, 2026Updated: May 11, 2026PoC AvailableRemote Exploitable

Overview

Tenda AC6 15.03.06.23 contains a command injection caused by manipulation of the wl2g.public.country/wl5g.public.country argument in /goform/WifiApScan httpd component, letting remote attackers execute OS commands, exploit requires no special privileges.

Severity & Score

Severity: Medium

CVSS Score: 6.3

Impact

Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.

Mitigation

Update to the latest version.

References

https://www.tenda.com.cn/
https://github.com/dxz0069/WAVLINK-WN530H4-Command-Injection-in-set_add_routing/blob/main/Tenda%20AC6V2%20formWifiApScan%20Command%20Injection%20via%20country%20parameter.md
https://vuldb.com/submit/810075
https://vuldb.com/vuln/362561
https://vuldb.com/vuln/362561/cti

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-8264
Severity: Medium
CVSS Score: 6.3
Type: command_injection
Status: confirmed

CWE

CWE-77
CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L