Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
Tenda AC5 Router: Remote Code Execution via Malformed Request
CVE-2026-4904
Summary
A security flaw in the Tenda AC5 router allows an attacker to execute malicious code on the device if they send a specially crafted request. This could allow an attacker to take control of the device. Tenda has not yet released a patch, so users should consider disabling the affected feature or upgrading to a patched version when available.
Original title
A vulnerability has been found in Tenda AC5 15.03.06.47. This issue affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. Such manipulation of the argume...
Original description
A vulnerability has been found in Tenda AC5 15.03.06.47. This issue affects the function formSetCfm of the file /goform/setcfm of the component POST Request Handler. Such manipulation of the argument funcpara1 leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
nvd CVSS2.0
9.0
nvd CVSS3.1
8.8
nvd CVSS4.0
7.4
Vulnerability type
CWE-119
Buffer Overflow
CWE-121
Stack-based Buffer Overflow
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026